Mart 2008’de rapor ettiğim bu güvenlik açığı Ekim 2009’da giderildi.
The Abuse module enables users to flag nodes and comments as offensive, bringing them to the attention of the site maintainer for review. The module suffers from a Cross Site Scripting (Cross Site Scripting) vulnerability. Such an attack may lead to a malicious user gaining full administrative access.
O zaman gönderdiğim e-posta
Abuse module displays flagged nodes in a moderation queue without applying filters (without calling node_view) on them.
Module version: abuse 5.x-1.x-dev at (http://drupal.org/node/123349)
Steps to reproduce:
- Install abuse.module.
- Enable flagging of any content type at “admin/settings/abuse” page.
- Flag a node by using “Flag as offensive” link on “node/#nid” page.
- Go to “admin/content/abuse” page. Under any tab one can see unfiltered node contents.