lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 26 Jan 2007 01:43:51 -0800 (PST)
From: Lise Moorveld <lise_moorveld@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Re: SMF "index.php?action=pm" Cross Site-Scripting

If you follow these steps:

> #-Go to
> http://target/smf/index.php?action=pm;sa=send
> #-Inster your xss code for the recipient or BCC
> #-Press send.

The code will be injected in the page that is returned
to the attacker. No Personal Message containing
malicious code will be send to anybody, because the
user "<script>evil</script>" does not exist...

So I guess one would exploit this by luring a target
user into clicking a link similar to this:

http://target/smf/index.php?action=pm;sa=send2;bcc="<iframe>";to="test";subject=test;message=test

However, the page that is returned when you follow
that link gives the following error:
"Your session timed out while posting. Please try to
re-submit your message."

It turns out SMF does some checks before accepting a
POST for a PM, amongst them the session and the
referer. Also, the form to compose a new PM appears to
submit some random sequence number. So it seems to me
that, to be able to create a malicious URL, the
attacker needs to be aware of the target user's
session ID and PM sequence number already. In which
case an XSS attack wouldn't add much more.

Please correct me if I'm wrong.

Lise

--- Advisory@...a-security.net wrote:

> #Aria-Security Team
> #http://Aria-Security.com
> #Type:Remote Cross-Site Scripting
> #Article on XSS: http://aria-security.net/xss.rar
> #Discovered By Aria-Security Team
> #Tested on SMF 1.1 RC3
> #
> #Explanation:
> #
> #-First of all user must be REGISTERED
> #-Go to
> http://target/smf/index.php?action=pm;sa=send
> #-Inster your xss code for the recipient or BCC
> #-Press send.
> 
> 
> 
> Original Advisory:
> http://aria-security.com/forum/showthread.php?p=128
> 


 
____________________________________________________________________________________
Any questions? Get answers on any topic at www.Answers.yahoo.com.  Try it now.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ