Drupal Hotblocks 6.x Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
For the curious:  
  
XSS Exploit:  
- ---------------  
1. Install and enable the HotBlocks module  
2. Navigate the Hotblocks setting page at ?q=admin/settings/hotblocks  
3. Change Block #1 Name to "<script>alert('xss');</script>"  
4. View the rendered Javascript at ?q=admin/content/hotblocks  
  
Denial of Service Exploit:  
- --------------------------------  
1. Install and enable the HotBlocks module  
2. Navigate the Hotblocks setting page at ?q=admin/settings/hotblocks  
3. Change Block #1 Name to "<script>alert('xss');</script>"  
4. Change "Term for hotblocks item:" to "hotblock item  
<script>alert('hotblock term');</script>"  
5. Change "Term for hotblocks items:" to "hotblock item  
<script>alert('hotblock terms');</script>"  
6. Save configuration  
7. Go to Block admin at ?q=admin/build/block  
8. Drag the Block #1 to the left sidebar and 'Save'  
9. Return to the home page.  
9. Click the 'Put a hotblock here' icon in the left sidebar and click  
the malicious name. This points to a link such as  
hotblocks/assign/11/1?destination=node&path=node&systemtype=block&token=343d600c37a2ed557df7cd22a0010352  
10. Refresh the page - WSOD, error logs indicate something like:  
[Mon Aug 06 15:42:37 2012] [notice] child pid 4559 exit signal  
Segmentation fault (11)  
or  
[Mon Aug 06 15:22:29 2012] [error] [client 10.10.0.1] PHP Fatal error:  
Maximum execution time of 30 seconds exceeded in  
/var/www/html/drupal-6.26/includes/bootstrap.inc on line 860, referer:  
http://10.10.0.101/drupal/  
  
  
Justin C. Klein Keane  
http://www.MadIrish.net  
  
The PGP signature on this email can be verified using the public key at  
http://www.madirish.net/gpgkey  
`