[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200904081407.n38E7J4v019645@www3.securityfocus.com>
Date: Wed, 8 Apr 2009 08:07:19 -0600
From: security@...ern0t.net
To: bugtraq@...urityfocus.com
Subject: Re: [Aria-Security.com] vBulletin multiple XSS
This is not a bug as the administrator should be able to name f.ex. his smilies anything he wants to do!
Then the Administrator can also write XSS in his usertitle and report that as a vulnerability? I see it more like a function rather than a vulnerability, cause!
If an admin makes a new custom template with custom html code, then that admin can put <script>alert('omg xss')</script> if he wants to. It's simply just functionality not bugs.
I hope you understand my concern and why it is important for me to say that this is not a bug.
Best Regards,
MaXe - InterN0T.net
Powered by blists - more mailing lists