a little bug!!!

[Mohammad]

Hi every body
take a look here

Code Select Expand

http://www.domain.tld/forum/index.php?action=helpadmin%3bhelp=THIS%2520SITE%2520HaCKED%2520BY%2520EVERYTHING%2520@%2520EVERYTHING.com

we have this problem in every SMF version
i mean 1.1.4 and older...

just replace the "domain.tld" with your desire SMF forum & change the continue sentence
...
HACKED!!!

please do something about this

Thanks

[karlbenson]

Indeed this was reported before. http://www.simplemachines.org/community/index.php?topic=189591.0

All they can do is add text.  The text is escaped so they can't hack/expoit your site.

See the last post on the above link where I posted a fix for it.

Would be nice if this got added to the bug tracker so even thought its not a security risk, it still needs quashing.

[Mohammad]

Okay!
thanks for your fast response
but this bug was reported on previous version "1.1.3"
why didn't Simplemachines didn't do any action in new release?

Thanks

[karlbenson]

it may have got missed.

I've got no idea.  Hopefully this time it will get added to the bug tracker.

[SleePy]

Its more of a feature than a bug.
I don't remember the developers reasons but they coded it purposely so you could do this. This is why it is cleaned up before it allows it

[karlbenson]

afaik the the helpadmin is part of the 'admin' for the popup question mark for help.  This does not as far as i remember show up outside of the admin.

Therefore would it be prudent to make it 'admin only'. (even if just for the last bit)

[SleePy]

the link can be used outside admin help. But this poses no threat at all. You can't do anything with it besides make it say cool things

Linky