MyBB Community Forums
[F] XSS Possibility when you posting a new announcement [C-Chris] - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: Community Archive (https://community.mybb.com/forum-106.html)
+--- Forum: Archived Forums (https://community.mybb.com/forum-143.html)
+---- Forum: Archived Development and Support (https://community.mybb.com/forum-155.html)
+----- Forum: Archived Bug Reports (https://community.mybb.com/forum-74.html)
+------ Forum: MyBB 1.4.4 (https://community.mybb.com/forum-110.html)
+------ Thread: [F] XSS Possibility when you posting a new announcement [C-Chris] (/thread-41755.html)



[F] XSS Possibility when you posting a new announcement [C-Chris] - ketto93 - 12-10-2008

To do this you must have admin permission. When you post a new announcement you'll insert a script string in the Title Input
ex: <script>alert("Hi")</script>
After that you post a new announcement it'll appair an alert. In user side this bug hasn't effect but in admin side yes. We'll insert a cookie stealing process and so to steal the founder account.

I hope you'll repair this bug


RE: XSS Possibility when you posting a new announcement - Matt - 12-10-2008

Question: why would an admin plant a script on their own forum like that??


RE: XSS Possibility when you posting a new announcement - ketto93 - 12-10-2008

Maybe because there is an admin with restricted admin permission and he'd like to login with the general administrator


RE: XSS Possibility when you posting a new announcement - Martin M. - 12-10-2008

Not only admins have the ability to announce though.


RE: XSS Possibility when you posting a new announcement - ketto93 - 12-10-2008

Yes but i tried from the ModCP but it doesn't work


RE: XSS Possibility when you posting a new announcement - Matt - 12-10-2008

(12-10-2008, 05:29 PM)ketto93 Wrote: Maybe because there is an admin with restricted admin permission and he'd like to login with the general administrator

If I thought they'd do that, the last thing I'd do is make them an admin. If I thought another admin would log in as me, there's no way I'd give them ACP access.

Likewise for Mods, if I thought they might do something like that, I wouldn't have them as a mod.

That's just my take on it - not necessarily saying it's right to be like that.


RE: XSS Possibility when you posting a new announcement - ketto93 - 12-10-2008

(12-10-2008, 05:36 PM)Matt_ Wrote:
(12-10-2008, 05:29 PM)ketto93 Wrote: Maybe because there is an admin with restricted admin permission and he'd like to login with the general administrator

If I thought they'd do that, the last thing I'd do is make them an admin. If I thought another admin would log in as me, there's no way I'd give them ACP access.

Likewise for Mods, if I thought they might do something like that, I wouldn't have them as a mod.

That's just my take on it - not necessarily saying it's right to be like that.

How can you know that he'll log in as you?


RE: XSS Possibility when you posting a new announcement - Matt - 12-10-2008

(12-10-2008, 05:47 PM)ketto93 Wrote:
(12-10-2008, 05:36 PM)Matt_ Wrote:
(12-10-2008, 05:29 PM)ketto93 Wrote: Maybe because there is an admin with restricted admin permission and he'd like to login with the general administrator

If I thought they'd do that, the last thing I'd do is make them an admin. If I thought another admin would log in as me, there's no way I'd give them ACP access.

Likewise for Mods, if I thought they might do something like that, I wouldn't have them as a mod.

That's just my take on it - not necessarily saying it's right to be like that.

How can you know that he'll log in as you?

Well if I didn't trust someone enough to know that they wouldn't, I wouldn't make them an admin, that's my point.


RE: XSS Possibility when you posting a new announcement - Ryan Gordon - 12-10-2008

This is a low risk XSS vulnerability because it only affects the ACP itself.


[F] XSS Possibility when you posting a new announcement - Ryan Gordon - 12-10-2008

Thank you for your bug report.

This bug has been fixed in our internal code repository. Please note that the problem will not be fixed here until these forums are updated.

With regards,
MyBB Group