* isnt security ISSUE! * In the Mambo survey modules, there is a little problem that originates character injections. http://www.site.dom/index.php?option=com_poll&task=results&id=18&mosmsg=messages You can edit "messages" and insert what you prefer; Module capture it and show the messages in the page. Try it: http://www.slacky.it/index.php?option=com_poll&task=results&id=18&mosmsg=TEST (my friend website) NOW demo.mamboserver.com vulnerable! http://demo.mamboserver.com/index.php?option=com_poll&task=results&id=15&mosmsg=BUGGED CMS usually use Global Active Var.. Mambo used mosmsg only for survey modules, and i think this alpha-patch: $mosmsg='Thanks for your vote!'; Joomla too was bugged: http://bugs.gentoo.org/show_bug.cgi?id=149934 Mambo devel contacted.
As said on the other bug, please send this upstream.
(In reply to comment #1) > As said on the other bug, please send this upstream. > ok, sorry :)