MyBB Community Forums

MyBB Community Forums > Development > MyBB 1.8 Development > 1.8 Bugs and Issues > Pushed > Theme name in administrator logs
Full Version: Theme name in administrator logs
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

pandaa

2013-02-10, 06:31 PM
This really isn't a security issue at all, but it should be fixed nonetheless. If you edit something in a theme named <SCRIPT>alert("XSS")</SCRIPT>, you will get a popup on the admin logs page. It doesn't look like there's a htmlspecialchars_uni present for any of the records.

Proof of concept:
http://i.imgur.com/ryieoEy.png

Jones H

2013-02-10, 06:50 PM
Hi,

Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.

Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/27

Thanks for contributing to MyBB!

Regards,
The MyBB Group
MyBB Community Forums > Development > MyBB 1.8 Development > 1.8 Bugs and Issues > Pushed > Theme name in administrator logs