MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > Archived Bug Reports > MyBB 1.4.4 > [F] XSS Possibility when you posting a new announcement [C-Chris]
Full Version: [F] XSS Possibility when you posting a new announcement [C-Chris]
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

ketto93

2008-12-10, 05:21 PM
To do this you must have admin permission. When you post a new announcement you'll insert a script string in the Title Input
ex: <script>alert("Hi")</script>
After that you post a new announcement it'll appair an alert. In user side this bug hasn't effect but in admin side yes. We'll insert a cookie stealing process and so to steal the founder account.

I hope you'll repair this bug

Matt

2008-12-10, 05:23 PM
Question: why would an admin plant a script on their own forum like that??

ketto93

2008-12-10, 05:29 PM
Maybe because there is an admin with restricted admin permission and he'd like to login with the general administrator

Martin M.

2008-12-10, 05:29 PM
Not only admins have the ability to announce though.

ketto93

2008-12-10, 05:33 PM
Yes but i tried from the ModCP but it doesn't work

Matt

2008-12-10, 05:36 PM
(2008-12-10, 05:29 PM)ketto93 Wrote: [ -> ]Maybe because there is an admin with restricted admin permission and he'd like to login with the general administrator

If I thought they'd do that, the last thing I'd do is make them an admin. If I thought another admin would log in as me, there's no way I'd give them ACP access.

Likewise for Mods, if I thought they might do something like that, I wouldn't have them as a mod.

That's just my take on it - not necessarily saying it's right to be like that.

ketto93

2008-12-10, 05:47 PM
(2008-12-10, 05:36 PM)Matt_ Wrote: [ -> ]
(2008-12-10, 05:29 PM)ketto93 Wrote: [ -> ]Maybe because there is an admin with restricted admin permission and he'd like to login with the general administrator

If I thought they'd do that, the last thing I'd do is make them an admin. If I thought another admin would log in as me, there's no way I'd give them ACP access.

Likewise for Mods, if I thought they might do something like that, I wouldn't have them as a mod.

That's just my take on it - not necessarily saying it's right to be like that.

How can you know that he'll log in as you?

Matt

2008-12-10, 05:49 PM
(2008-12-10, 05:47 PM)ketto93 Wrote: [ -> ]
(2008-12-10, 05:36 PM)Matt_ Wrote: [ -> ]
(2008-12-10, 05:29 PM)ketto93 Wrote: [ -> ]Maybe because there is an admin with restricted admin permission and he'd like to login with the general administrator

If I thought they'd do that, the last thing I'd do is make them an admin. If I thought another admin would log in as me, there's no way I'd give them ACP access.

Likewise for Mods, if I thought they might do something like that, I wouldn't have them as a mod.

That's just my take on it - not necessarily saying it's right to be like that.

How can you know that he'll log in as you?

Well if I didn't trust someone enough to know that they wouldn't, I wouldn't make them an admin, that's my point.

Ryan Gordon

2008-12-10, 10:32 PM
This is a low risk XSS vulnerability because it only affects the ACP itself.

Ryan Gordon

2008-12-10, 10:43 PM
Thank you for your bug report.

This bug has been fixed in our internal code repository. Please note that the problem will not be fixed here until these forums are updated.

With regards,
MyBB Group
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > Archived Bug Reports > MyBB 1.4.4 > [F] XSS Possibility when you posting a new announcement [C-Chris]