2013-02-12, 09:11 AM
There is quiet a lot of XSS vulnerabilities in the Admin panel. None of them are serious, but will be great if they are fixed. This will only make a mess if you have access to the admin panel. Tese were reported a fe months ago as well.
Script used:
Places tested = Result:
Adding new forums, and sub forums:
Adding new Group:
Plugins:
Personally i think that the use of the <script> tag in the Usergroup Titles, Forum titles, and Descriptions is unnecessary. There is a few more, but that isn't big ones, but rather small ones.
Script used:
<SCRIPT>alert("Test")</SCRIPT>
Places tested = Result:
Adding new forums, and sub forums:
- Forum Titles - Pops up XSS alert on index page
- Forum Description - Pops up XSS alert on index page
Adding new Group:
- Group Title - Pops up on Group management page
- Description - On group management page
- Title - When editing a user in the Admin panel
- Username style - When viewing moderator logs (or any ware username is displayed) (only if the group is the users default group.
Plugins:
- Plugin Titles - The plugin titles allows one to use the <script> tag, this might be a problem if you download plugins from somewhere else without validating, as it breaks the plugin page in the acp.
Personally i think that the use of the <script> tag in the Usergroup Titles, Forum titles, and Descriptions is unnecessary. There is a few more, but that isn't big ones, but rather small ones.