Vulerability severity so high that in these theme iam facing a problem with Cross site scripting in URLS.
Example : If i give the URL as http://localhost/site/node/1/%22%3e%3cscript%3ealert(45375)%3c/script%3e
it is executing the script and disturbing whole site.
the following screen appears when above url is given.
while giving same url changing zero point theme to default bartik theme it is not allowing scripts.
how disable javascripts in URLS.Please help soon.Please give me reply soon i have to move my site to production.
My Testing report was like this
The following changes were applied to the original request:
• Set path to '/sitename/node/30/%22%3e%3cscript%3ealert(45375)%3c/script%3e'
Validation In Response:
• 5375 page-node-scriptalert45375-script node-type-page not-admin section-node
page-node/30/">
layout-jello var bicons48 picons
himg lg-en " >
| Comment | File | Size | Author |
|---|---|---|---|
| Screenshot from 2012-11-02 15:44:01.png | 78.96 KB | sahithi |
Comments
Comment #1
sahithi commentedCross site scripting in site.
hey i got it
Change line number 36 in template.php
$path = drupal_get_path_alias($_GET['q']); to
$path = drupal_get_path_alias(check_plain($_GET['q']));
Comment #2
florian commentedFixed in zeropoint 6.x-1.18
Comment #2.0
florian commentedMy Testing report was like this
The following changes were applied to the original request:
• Set path to '/sitename/node/30/%22%3e%3cscript%3ealert(45375)%3c/script%3e'
Validation In Response:
alert(45375) alert(45375) alert(45375)• 5375 page-node-scriptalert45375-script node-type-page not-admin section-node
page-node/30/">
layout-jello var bicons48 picons
himg lg-en " >
Reasoning:
The test successfully embedded a script in the response, and it will be executed once the page is
loaded in the user's browser. This means the application is vulnerable to Cross-Site Scripting.