Simple Machines Forum "SMF Shoutbox" Mod 1.16b-1.14
Note:the content of this variable is also stored in an html file (sbox.history.html)residing in the main folder where SMF is installed so it is possible to insert and then execute php code under some server configurations.
Vulnerable versions: 1.16b down to 1.14
Search Engines query: "powered by smf 1.1" "SMF Shoutbox"
function missinghtmlentities() fails to sanitize
input passed to the shoutbox form
All we have to do is pass to the shoutbox form a string starting with '&#' and ending with ';'
Most sites configuration doesnt enable guest visitors to post comments so you should create an account and login in order to exploit.SMF Shoutbox is usually in the index page of the forum so you could easily exploit this issue to collect Admins and user cookies,hijack sessions,etc
Pass this string to the shoutbox
If successful every visitor of the page should see an alert saying 'XSS'
We can inject php code but the output file (sbox.history.html)has an .html extension so in order for the code to execute the server must be configured to parse .html files for php code which is not the default configuration.