In Drupal there is a little problem that originates characters injection. http://www.website.dom/drupal-path/?q=user/MESSAGES You can edit "messages" and insert what you prefer; Variable print it and show the messages in the page. Drupal demo vulnerable too. test: http://demo.opensourcecms.com/drupal/?q=user/messages I will contact Drupal developers.
I'm a little confused on the security impact of this. I tried it myself and it seems you have to be logged in to access that page anyways. Because opensource cms is a single user, I wasn't able to check and see if I could access other users pages.
guys, seriously, this is not a security issue. Thanks for playing around and looking for problems, but "character injection" is not a vulnerability, web-apps are designed to work like tihs. If you can inject **arbitrary** characters, let us know. RESOLVED -> INVALID.
I talked with Heinet (Drupal security devel), and he patch it.
Patch: Simply remove line 902 - 904 from modules/user.module if ($msg) { $form['message'] = array('#value' => '<p>'. check_plain($msg) .'</p>'); }
Created attachment 98887 [details, diff] remove msg drupal bug
Reopening to reassign, sorry for the noise! Best regards, CHTEKK.
Reassigning...
Note; while I provided a patch (was asked for); we do not consider this a security issue. Heine
No security issue, no need to fix then as I hate bumping web-apps needlessly Drupal-4.7.4 has since come out without this patch in.
