Re: Question about basic html/js/security stuffz
Reply #2 – March 26, 2016, 01:57:02 pm
Ok, but surely if you have managed to get yourself admin access already, you can create massive havoc in umpteen different ways. So is allowing playing with raw code really that much of a drama, in the scheme of things? And if you are going to "add a freaking file" what checks the content of said file?
Re: Question about basic html/js/security stuffz
Reply #5 – March 26, 2016, 05:46:04 pm
emanuele
Global Moderator
And yet again: the attacker doesn't even bother to have an account on your site. YOU admin of your own forum, click a link on any website and you admin of your forum, change (without realizing) the settings of your own forum. In both cases. It's not a matter of the hacker stealing your admin account, the hacker tricks you into changing the settings. And if it is changing a setting is nothing, but if the attacher ever thought about it, they were able (and still are in not up-to-date SMF) able to inject any kind of PHP code at will with a simple web page properly crafted. "Of course" now the hole is closed, but you never know what could open another hole.
Re: Question about basic html/js/security stuffz
Reply #6 – March 27, 2016, 01:17:59 am
Ok, so is there any way to have things set up so that an admin can enter custom HTML and/or javascript into a theme or portal block, without creating all sorts of security problems? I'm thinking here of an example where you'd have custom textareas available in admin capable of taking HTML for "articles" (which would basically just be copy/pasted posts, calling all the standard classes) and/or javascript (for example, to allow easy insertion of a slideshow).