-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For the curious:

XSS Exploit:
- ---------------
1.  Install and enable the HotBlocks module
2.  Navigate the Hotblocks setting page at ?q=admin/settings/hotblocks
3.  Change Block #1 Name to "<script>alert('xss');</script>"
4.  View the rendered Javascript at ?q=admin/content/hotblocks

Denial of Service Exploit:
- --------------------------------
1.  Install and enable the HotBlocks module
2.  Navigate the Hotblocks setting page at ?q=admin/settings/hotblocks
3.  Change Block #1 Name to "<script>alert('xss');</script>"
4.  Change "Term for hotblocks item:" to "hotblock item
<script>alert('hotblock term');</script>"
5.  Change "Term for hotblocks items:" to "hotblock item
<script>alert('hotblock terms');</script>"
6.  Save configuration
7.  Go to Block admin at ?q=admin/build/block
8.  Drag the Block #1 to the left sidebar and 'Save'
9.  Return to the home page.
9.  Click the 'Put a hotblock here' icon in the left sidebar and click
the malicious name.  This points to a link such as
hotblocks/assign/11/1?destination=node&path=node&systemtype=block&token=343d600c37a2ed557df7cd22a0010352
10.  Refresh the page - WSOD, error logs indicate something like:
[Mon Aug 06 15:42:37 2012] [notice] child pid 4559 exit signal
Segmentation fault (11)
or
[Mon Aug 06 15:22:29 2012] [error] [client 10.10.0.1] PHP Fatal error:
 Maximum execution time of 30 seconds exceeded in
/var/www/html/drupal-6.26/includes/bootstrap.inc on line 860, referer:
http://10.10.0.101/drupal/


Justin C. Klein Keane
http://www.MadIrish.net

The PGP signature on this email can be verified using the public key at
http://www.madirish.net/gpgkey