• info
• discussion
• exploit
• solution
• references

Simple Machines Forum Size Tag HTML Injection Vulnerability

No exploit is required for this issue, however Cheng Peng Su <apple_soup@msn.com> provided some proof-of-concept code.

An attacker could reportedly post content to the forums containing:

[size=expression(alert(document.cookie))]Content[/size]

With the limit that the forum software filters out quotes, apostrophes and semicolons.

Another method that circumvents the software filtering would be to post content such as:

[size=expression(eval(unescape(document.URL.substring(document.URL.length-34,document.URL.length))))]Content[/size]

then get the victim to follow:

http://www.example.com/index.php?topic=12345.0&alert('cookie:\n'+document.cookie)

Where the '12345.0' is the topic containing the previously posted content. The victim's browser would execute the last 34 characters (as specified in the previously posted 'length-34' content).