1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Lack of Interest Any reason why Notices allow HTML?

Discussion in 'Closed Suggestions' started by arn, Dec 12, 2014.

  1. arn

    arn Active Member

    Was curious about this. Is there a reason why Notices allow HTML?

    Seems a potential security hole. This is the vector through which Ubuntu Forums as well as MacRumors forums were hacked under vB. Moderator account was broken into (shared/weak passwords), and an HTML announcement was posted. That HTML announcement then allowed the hacker to escalate Admin access by use of an external javascript.

    I realize in XF the notices are an admin priviledge, but you could still imagine giving some admins notice access, but not other access.

    I guess my suggestion would be to not allowed HTML in notices, or have it disable-able.

  2. Xon

    Xon Well-Known Member

    You need to be an administrator to post notices.
    Amaury likes this.
  3. Jeremy

    Jeremy XenForo Moderator Staff Member

    A lot of areas in the ACP allow HTML. If an attacker is able to get in and post them, likely, they already have the access they need to deface or ruin your site.
    grahamperrin and Amaury like this.
  4. Brogan

    Brogan XenForo Moderator Staff Member

    HTML is allowed in other areas such as page nodes, custom bb code, etc.

    If you're going to remove it from notices then logically you would have to remove it from everywhere, which would drastically reduce the functionality of the software.
  5. Martok

    Martok Well-Known Member

    This is one of the reasons I like and use the Notifications add-on


    My moderators can access this from the front end, so no back end access required.
    grahamperrin likes this.

Share This Page