Re: [Aria-Security.com] vBulletin multiple XSS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [Aria-Security.com] vBulletin multiple XSS
From: security@xxxxxxxxxxxx
Date: Wed, 8 Apr 2009 08:07:19 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

This is not a bug as the administrator should be able to name f.ex. his smilies 
anything he wants to do!

Then the Administrator can also write XSS in his usertitle and report that as a 
vulnerability? I see it more like a function rather than a vulnerability, cause!

If an admin makes a new custom template with custom html code, then that admin 
can put <script>alert('omg xss')</script> if he wants to. It's simply just 
functionality not bugs.

I hope you understand my concern and why it is important for me to say that 
this is not a bug.


Best Regards,
MaXe - InterN0T.net

Prev by Date: [SECURITY] [DSA 1765-1] New horde3 packages fix several vulnerabilities
Next by Date: [Bkis-06-2009] GOM Player Subtitle Buffer Overflow Vulnerability
Previous by thread: [Aria-Security.com] vBulletin multiple XSS
Next by thread: [TKADV2009-005] xine-lib Quicktime STTS Atom Integer Overflow
Index(es):
- Date
- Thread