AOH :: HP Unsorted S :: BU-1313.HTM

SMF (Simple Machine Forum) 1.1.11 XSS - Discovered by : Khashayar Fereidani



SMF (Simple Machine Forum) 1.1.11 XSS - Discovered by : Khashayar Fereidani
SMF (Simple Machine Forum) 1.1.11 XSS - Discovered by : Khashayar Fereidani




|| Script : SMF (Simple Machine Forum) 1.1.11
|| Vulnerability Type : Active XSS ( Active Cross Site Scripting )
|| Risk : Low

|| Discovered By Khashayar Fereidani
|| http://ircrash.com http://bugtraq.ircrash.com 


|| Note :

For use this vulnerability you need access to censor words panel .
1.First login and go to : http://site/path/index.php?action=postsettings;sa=censor 
click on "Click here to add another word." for add new row .
set new text box : ircrash => "
and save page .
2.Open new typic and set title : ircrash , fill all fields and post typic .
3.Open forum home page . you see alert : Vulerable

You can set any html or java script code . hackers can home deface forum or set activex for virus .

|| Solution : filter censor page variables with htmlspecialchars .
|| Tnx : Only For God

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.