BugTraq
SMF "index.php?action=pm" Cross Site-Scripting Jan 20 2007 08:06AM
Advisory aria-security net (1 replies)
Re: SMF "index.php?action=pm" Cross Site-Scripting Jan 26 2007 09:43AM
Lise Moorveld (lise_moorveld yahoo com)
If you follow these steps:

> #-Go to
> http://target/smf/index.php?action=pm;sa=send
> #-Inster your xss code for the recipient or BCC
> #-Press send.

The code will be injected in the page that is returned
to the attacker. No Personal Message containing
malicious code will be send to anybody, because the
user "<script>evil</script>" does not exist...

So I guess one would exploit this by luring a target
user into clicking a link similar to this:

http://target/smf/index.php?action=pm;sa=send2;bcc="<iframe>";to="test";
subject=test;message=test

However, the page that is returned when you follow
that link gives the following error:
"Your session timed out while posting. Please try to
re-submit your message."

It turns out SMF does some checks before accepting a
POST for a PM, amongst them the session and the
referer. Also, the form to compose a new PM appears to
submit some random sequence number. So it seems to me
that, to be able to create a malicious URL, the
attacker needs to be aware of the target user's
session ID and PM sequence number already. In which
case an XSS attack wouldn't add much more.

Please correct me if I'm wrong.

Lise

--- Advisory (at) aria-security (dot) net [email concealed] wrote:

> #Aria-Security Team
> #http://Aria-Security.com
> #Type:Remote Cross-Site Scripting
> #Article on XSS: http://aria-security.net/xss.rar
> #Discovered By Aria-Security Team
> #Tested on SMF 1.1 RC3
> #
> #Explanation:
> #
> #-First of all user must be REGISTERED
> #-Go to
> http://target/smf/index.php?action=pm;sa=send
> #-Inster your xss code for the recipient or BCC
> #-Press send.
>
>
>
> Original Advisory:
> http://aria-security.com/forum/showthread.php?p=128
>

________________________________________________________________________
____________
Any questions? Get answers on any topic at www.Answers.yahoo.com. Try it now.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus