lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 10 Feb 2008 23:15:06 -0000
From: enterth3dragon@...il.com
To: bugtraq@...urityfocus.com
Subject: Simple Machines Forum "SMF Shoutbox" Mod Persistent XSS

Simple Machines Forum "SMF Shoutbox" Mod 1.16b-1.14 

Reference:	http://custom.simplemachines.org/mods/index.php?mod=412  

Bug:Persistent XSS
  
SMF Shoutbox is a popular shoutbox mod for Simple Machines Forum.The content of a post variable used to hold the user shout is stored in the database and then displayed to the visitors without being properly filtered.So we can insert HTML or Javascript code in the database which is then displayed in the shoutbox (which is usually at the index page of the forum).
Note:the content of this variable is also stored in an html file (sbox.history.html)residing in the main folder where SMF is installed so it is possible to insert and then execute php code under some server configurations. 
  
Vulnerable versions: 1.16b down to 1.14

Search Engines query: "powered by smf 1.1" "SMF Shoutbox" 
			
Vuln code
 
 -In sboxDB.php
  
  function missinghtmlentities() fails to sanitize      
  input passed to the shoutbox form
 

Exploit
 
All we have to do is pass to the shoutbox form a string starting with '&#' and ending with ';'
Most sites configuration doesnt enable guest visitors to post comments so you should create an account and login in order to exploit.SMF Shoutbox is usually in the index page of the forum so you could easily exploit this issue to collect Admins and user cookies,hijack sessions,etc
 

  
 Pass this string to the shoutbox  

  &#<script>alert(String.fromCharCode(88,83,83))</script>;

If successful every visitor of the page should see an alert saying 'XSS' 
 

Note:

We can inject php code but the output file (sbox.history.html)has an .html extension so in order for the code to execute the server must be configured to parse .html files for php code which is not the default configuration.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ