Simple Machines Forum 1.1.11 cross site scripting

2009-12-23 / 2009-12-24

Credit: Khashayar Fereidani

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

|| Script : SMF (Simple Machine Forum) 1.1.11
|| Vulnerability Type : Active XSS ( Active Cross Site Scripting )
|| Risk : Low
|| Discovered By Khashayar Fereidani
|| http://ircrash.com http://bugtraq.ircrash.com
|| Note :
For use this vulnerability you need access to censor words panel .
1.First login and go to : http://site/path/index.php?action=postsettings;sa=censor
click on "Click here to add another word." for add new row .
set new text box : ircrash => "<script>alert('Vulnerable')</script>
and save page .
2.Open new typic and set title : ircrash , fill all fields and post typic .
3.Open forum home page . you see alert : Vulerable
You can set any html or java script code . hackers can home deface forum or set activex for virus .
|| Solution : filter censor page variables with htmlspecialchars .
|| Tnx : Only For God

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Simple Machines Forum 1.1.11 cross site scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.