[Pushed] Theme name in administrator logs
#1
This really isn't a security issue at all, but it should be fixed nonetheless. If you edit something in a theme named <SCRIPT>alert("XSS")</SCRIPT>, you will get a popup on the admin logs page. It doesn't look like there's a htmlspecialchars_uni present for any of the records.

Proof of concept:
http://i.imgur.com/ryieoEy.png
Reply
#2
Hi,

Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.

Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/27

Thanks for contributing to MyBB!

Regards,
The MyBB Group
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)