MyBB Community Forums

Full Version: [F] XSS Possibility when you posting a new announcement [C-Chris]
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
To do this you must have admin permission. When you post a new announcement you'll insert a script string in the Title Input
ex: <script>alert("Hi")</script>
After that you post a new announcement it'll appair an alert. In user side this bug hasn't effect but in admin side yes. We'll insert a cookie stealing process and so to steal the founder account.

I hope you'll repair this bug
Question: why would an admin plant a script on their own forum like that??
Maybe because there is an admin with restricted admin permission and he'd like to login with the general administrator
Not only admins have the ability to announce though.
Yes but i tried from the ModCP but it doesn't work
(12-10-2008, 05:29 PM)ketto93 Wrote: [ -> ]Maybe because there is an admin with restricted admin permission and he'd like to login with the general administrator

If I thought they'd do that, the last thing I'd do is make them an admin. If I thought another admin would log in as me, there's no way I'd give them ACP access.

Likewise for Mods, if I thought they might do something like that, I wouldn't have them as a mod.

That's just my take on it - not necessarily saying it's right to be like that.
(12-10-2008, 05:36 PM)Matt_ Wrote: [ -> ]
(12-10-2008, 05:29 PM)ketto93 Wrote: [ -> ]Maybe because there is an admin with restricted admin permission and he'd like to login with the general administrator

If I thought they'd do that, the last thing I'd do is make them an admin. If I thought another admin would log in as me, there's no way I'd give them ACP access.

Likewise for Mods, if I thought they might do something like that, I wouldn't have them as a mod.

That's just my take on it - not necessarily saying it's right to be like that.

How can you know that he'll log in as you?
(12-10-2008, 05:47 PM)ketto93 Wrote: [ -> ]
(12-10-2008, 05:36 PM)Matt_ Wrote: [ -> ]
(12-10-2008, 05:29 PM)ketto93 Wrote: [ -> ]Maybe because there is an admin with restricted admin permission and he'd like to login with the general administrator

If I thought they'd do that, the last thing I'd do is make them an admin. If I thought another admin would log in as me, there's no way I'd give them ACP access.

Likewise for Mods, if I thought they might do something like that, I wouldn't have them as a mod.

That's just my take on it - not necessarily saying it's right to be like that.

How can you know that he'll log in as you?

Well if I didn't trust someone enough to know that they wouldn't, I wouldn't make them an admin, that's my point.
This is a low risk XSS vulnerability because it only affects the ACP itself.
Thank you for your bug report.

This bug has been fixed in our internal code repository. Please note that the problem will not be fixed here until these forums are updated.

With regards,
MyBB Group