Today i try to erase a spam trackback and I cant. It is because the text of trackback has at the end a 'a' tag without closing it (and without text). The Confirm erase button is next to text and It become a button to that link and lose its funcionality of submit form.

efects:

  • the button of confirm erase is made unusable
  • the atacker can redirect to anywhere page with sesión and cookies of admin

I suppose is a general problem of every text field, but i cant probe it

page attached

(to erase i had to save that page in HD, modify formaction an del open a tag)

CommentFileSizeAuthor
3.htm.txt4.89 KBjamarier
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

jamarier’s picture

jamarier CreditAttribution: jamarier commented

I solved swapping 2 lines in trackback.module:

from:

drupal_set_message(t('Do you want to delete this trackback?'));
$output .= theme('trackback',$trackback_received,FALSE);
$output .= form(form_submit(t('Delete')));
print theme('page',$output);

to:

drupal_set_message(t('Do you want to delete this trackback?'));
$output .= form(form_submit(t('Delete')));
$output .= theme('trackback',$trackback_received,FALSE);
print theme('page',$output);

Pomliane’s picture

Pomliane CreditAttribution: Pomliane commented
Status: Active » Closed (won't fix)

This version of TrackBack is not supported anymore. The issue is closed for this reason.
Please upgrade to a supported version and feel free to reopen the issue on the new version if applicable.

This issue has been automagically closed by a script.