Advanced Poll 6.x versions – XSS Vulnerability

lirantal

Liran is 31 years old and married to his beloved soul-mate Tal. As an avid supporter of the open source community, he plays the role of leading developer for some projects and contributing code to many others. Some of his geek activities include programming, playing his guitar and even running The Hacker’s Choice BBS back in the pre-Internet days of ’95. Liran is passionate about creating software products, combining his technical skills with an exquisite entrepreneurial spirit and business orientation to build successful ventures. Liran currently works at HP Software, leading the development team on a Drupal based collaboration platform in HP's Live Network R&D group. At HPLN, Liran plays a key role in system architecture design, shaping the technology strategy from planning and development to deployment and maintenance in HP's IaaS cloud. Acting as the technological focal point, he loves mentoring team mates, drive for better code methodology and seek out innovative solutions to support business strategies.

You may also like...

2 Responses

  1. Damien McKenna says:

    Drupal has a well established process for dealing with security issues, in fact on EVERY SINGLE ISSUE CREATION PAGE, e.g. the page you would have submitted that issue from (https://drupal.org/node/add/project-issue/advpoll) it says right there “Security issues should not be reported here. Instead, follow the procedure for reporting security issues.” which links to https://drupal.org/node/101494.

    Please follow these procedures and STOP REPORTING SECURITY VULNERABILITIES IN PUBLIC ISSUE QUEUES!

    The security of every site that uses a module with a vulnerability is dependent upon these procedures being used, specifically that the security team work with the maintainers to fix the issue & create a new project release before publicizing the vulnerability, so that site maintainers then have a fix available as soon as the vulnerability is disclosed.

  2. drunken monkey says:

    I think it would be good if you noted here why you posted it in public (module has no stable release and (I guess the main reason) seems to be pretty much unmaintained), and that that usually shouldn’t be done. Otherwise, people not familiar with Drupal’s security policy might learn this the wrong way.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>