[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SMF 1.1.7 Persistent XSS (requires permision to edit censor)

Thanks for your report.

However, while this can be used in a malicious way, this is an action which requires administrative access by default to even access.  That is, someone must physically give someone else access, or someone must gain access to this function to be able to pull off anything with it.

The functionality is intended to allow an administrative user to replace certain text with text, html, or imagery as necessary.

Given that an administrative user can install modification packages as well as edit the template and language files, version depending, all of which require adminsitrative access, I also do not feel this is a very likely attack vector.

I do acknowledge though that it could be misused, however.  But the truth remains that if someone gains unauthorized administrative access to SMF or, well, any site, then the potential for damage is great. 

Thanks again for your report, as I mentioned in the email.

Project Manager
Simple Machines Forum