Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[F] XSS Possibility when you posting a new announcement [C-Chris]
#1
To do this you must have admin permission. When you post a new announcement you'll insert a script string in the Title Input
ex: <script>alert("Hi")</script>
After that you post a new announcement it'll appair an alert. In user side this bug hasn't effect but in admin side yes. We'll insert a cookie stealing process and so to steal the founder account.

I hope you'll repair this bug
Hi,
Ketto93
_______________________
MyBB Italian Lover
#2
Question: why would an admin plant a script on their own forum like that??
MyReactions - All Plugins

Can you still feel the butterflies?

Free never tasted like pudding.
#3
Maybe because there is an admin with restricted admin permission and he'd like to login with the general administrator
Hi,
Ketto93
_______________________
MyBB Italian Lover
#4
Not only admins have the ability to announce though.
#5
Yes but i tried from the ModCP but it doesn't work
Hi,
Ketto93
_______________________
MyBB Italian Lover
#6
(12-10-2008, 05:29 PM)ketto93 Wrote: Maybe because there is an admin with restricted admin permission and he'd like to login with the general administrator

If I thought they'd do that, the last thing I'd do is make them an admin. If I thought another admin would log in as me, there's no way I'd give them ACP access.

Likewise for Mods, if I thought they might do something like that, I wouldn't have them as a mod.

That's just my take on it - not necessarily saying it's right to be like that.
MyReactions - All Plugins

Can you still feel the butterflies?

Free never tasted like pudding.
#7
(12-10-2008, 05:36 PM)Matt_ Wrote:
(12-10-2008, 05:29 PM)ketto93 Wrote: Maybe because there is an admin with restricted admin permission and he'd like to login with the general administrator

If I thought they'd do that, the last thing I'd do is make them an admin. If I thought another admin would log in as me, there's no way I'd give them ACP access.

Likewise for Mods, if I thought they might do something like that, I wouldn't have them as a mod.

That's just my take on it - not necessarily saying it's right to be like that.

How can you know that he'll log in as you?
Hi,
Ketto93
_______________________
MyBB Italian Lover
#8
(12-10-2008, 05:47 PM)ketto93 Wrote:
(12-10-2008, 05:36 PM)Matt_ Wrote:
(12-10-2008, 05:29 PM)ketto93 Wrote: Maybe because there is an admin with restricted admin permission and he'd like to login with the general administrator

If I thought they'd do that, the last thing I'd do is make them an admin. If I thought another admin would log in as me, there's no way I'd give them ACP access.

Likewise for Mods, if I thought they might do something like that, I wouldn't have them as a mod.

That's just my take on it - not necessarily saying it's right to be like that.

How can you know that he'll log in as you?

Well if I didn't trust someone enough to know that they wouldn't, I wouldn't make them an admin, that's my point.
MyReactions - All Plugins

Can you still feel the butterflies?

Free never tasted like pudding.
#9
This is a low risk XSS vulnerability because it only affects the ACP itself.
#10
Thank you for your bug report.

This bug has been fixed in our internal code repository. Please note that the problem will not be fixed here until these forums are updated.

With regards,
MyBB Group


Forum Jump:


Users browsing this thread: 1 Guest(s)