Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities
From: Moritz Naumann <security () moritz-naumann com>
Date: Wed, 25 Sep 2013 14:33:14 +0000

On 24.09.2013 14:17 +0000, Henri Salo wrote:
On Mon, Sep 16, 2013 at 07:23:52PM -0600, Kurt Seifried wrote:
Can you provide a summary of the diff? thanks.
[..]
XSS in index.php?action=admin;area=manageboards;sa=newboard;cat=1 "board_name"
Requires admin account
PoC: "><BODY ONLOAD=alert('XSS')>
Verified in 2.0.4
Not fixed in 2.0.5

SMF guys, this CSRF should help to verify this issue. Can you fix this in next
release? Contact me in case you need help.

[..]

This CSRF doesn't work for me on two 2.0.4 installations I tested on.
Both return
  Unable to verify referring url. Please go back and try again.

There seems to be a CSRF protection in this hidden form field:
  <input type="hidden" name="e2b8c5b3437"
value="bdcc798a0a86fa141da538f7c3a6ec42" />

So this doesn't seem exploitable this way (but it also doesn't make the
XSS bug vanish in the haze, either).

To clarify, I'm a SMF user (and independent tester) not affiliated with
the SMF developers.

Moritz


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]