lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200904081407.n38E7J4v019645@www3.securityfocus.com>
Date: Wed, 8 Apr 2009 08:07:19 -0600
From: security@...ern0t.net
To: bugtraq@...urityfocus.com
Subject: Re: [Aria-Security.com] vBulletin multiple XSS

This is not a bug as the administrator should be able to name f.ex. his smilies anything he wants to do!

Then the Administrator can also write XSS in his usertitle and report that as a vulnerability? I see it more like a function rather than a vulnerability, cause!

If an admin makes a new custom template with custom html code, then that admin can put <script>alert('omg xss')</script> if he wants to. It's simply just functionality not bugs.

I hope you understand my concern and why it is important for me to say that this is not a bug.


Best Regards,
MaXe - InterN0T.net

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ