For the curious: XSS Exploit: - --------------- 1. Install and enable the HotBlocks module 2. Navigate the Hotblocks setting page at ?q=admin/settings/hotblocks 3. Change Block #1 Name to "<script>alert('xss');</script>" 4. View the rendered Javascript at ?q=admin/content/hotblocks Denial of Service Exploit: - -------------------------------- 1. Install and enable the HotBlocks module 2. Navigate the Hotblocks setting page at ?q=admin/settings/hotblocks 3. Change Block #1 Name to "<script>alert('xss');</script>" 4. Change "Term for hotblocks item:" to "hotblock item <script>alert('hotblock term');</script>" 5. Change "Term for hotblocks items:" to "hotblock item <script>alert('hotblock terms');</script>" 6. Save configuration 7. Go to Block admin at ?q=admin/build/block 8. Drag the Block #1 to the left sidebar and 'Save' 9. Return to the home page. 9. Click the 'Put a hotblock here' icon in the left sidebar and click the malicious name. This points to a link such as hotblocks/assign/11/1?destination=node&path=node&systemtype=block&token=343d600c37a2ed557df7cd22a0010352 10. Refresh the page - WSOD, error logs indicate something like: [Mon Aug 06 15:42:37 2012] [notice] child pid 4559 exit signal Segmentation fault (11) or [Mon Aug 06 15:22:29 2012] [error] [client 10.10.0.1] PHP Fatal error: Maximum execution time of 30 seconds exceeded in /var/www/html/drupal-6.26/includes/bootstrap.inc on line 860, referer: http://10.10.0.101/drupal/ Justin C. Klein Keane http://www.MadIrish.net The PGP signature on this email can be verified using the public key at http://www.madirish.net/gpgkey