Re: SMF 1.1.7 Persistent XSS (requires permision to edit censor)

[metallica48423 () gmail com]

Thanks for your report.

However, while this can be used in a malicious way, this is an action which requires administrative access by default 
to even access.  That is, someone must physically give someone else access, or someone must gain access to this 
function to be able to pull off anything with it.

The functionality is intended to allow an administrative user to replace certain text with text, html, or imagery as 
necessary.

Given that an administrative user can install modification packages as well as edit the template and language files, 
version depending, all of which require adminsitrative access, I also do not feel this is a very likely attack vector.

I do acknowledge though that it could be misused, however.  But the truth remains that if someone gains unauthorized 
administrative access to SMF or, well, any site, then the potential for damage is great. 

Thanks again for your report, as I mentioned in the email.

metallica48423
Project Manager
Simple Machines Forum