Closed (fixed)
Project:
Project
Version:
x.y.z
Component:
Projects
Priority:
Critical
Category:
Bug report
Assigned:
Reporter:
Created:
9 Apr 2006 at 08:07 UTC
Updated:
19 May 2006 at 08:45 UTC
I've observed this problem when changing the title of the following issue:
http://drupal.org/node/57918
and I'll try to do some tests now here.
Comments
Comment #1
markus_petrux commentedChanging the title here
Comment #2
markus_petrux commentedok, please note the "issue changes line" on the above comment. The tags have not been cleaned!
Comment #3
killes@www.drop.org commentedCan you add actual XSS? em isn't particularly dangerous.
Comment #4
markus_petrux commentedtesting script
Comment #5
markus_petrux commentedSo there is some kind of filtering? Anyway, it doesn't match the filter applied to the issue title.
Comment #6
Zen commentedComment #7
dwwi already found and fixed these bugs on april 22nd. the version of project.module running on drupal.org was updated on that day. in fact, i've got a draft of the security announcement about this already written and submitted to security@drupal.org.
by the way, that is the correct place to send reports of possible security problems, not directly to the public issue queue. that way, the security team has a chance to verify, fix, and prepare a release that closes the hole, before the exploit is publically known. i'm just waiting the approval of the announcement (which was lower priority than getting 4.7.0 out, it seems) and the whole world will know about this bug and the fact that it's already been fixed.
thanks,
-derek
Comment #8
markus_petrux commentedTrue, mea culpa
But these things happen:
http://drupal.org/node/19845 (opened April, 2 2005, session fixation 1 year later)
Comment #9
(not verified) commented