[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SMF 1.1.7 Persistent XSS (requires permision to edit censor)



Thanks for your report.

However, while this can be used in a malicious way, this is an action which 
requires administrative access by default to even access.  That is, someone 
must physically give someone else access, or someone must gain access to this 
function to be able to pull off anything with it.

The functionality is intended to allow an administrative user to replace 
certain text with text, html, or imagery as necessary.

Given that an administrative user can install modification packages as well as 
edit the template and language files, version depending, all of which require 
adminsitrative access, I also do not feel this is a very likely attack vector.

I do acknowledge though that it could be misused, however.  But the truth 
remains that if someone gains unauthorized administrative access to SMF or, 
well, any site, then the potential for damage is great. 

Thanks again for your report, as I mentioned in the email.

metallica48423
Project Manager
Simple Machines Forum