Re: SMF "index.php?action=pm" Cross Site-Scripting

[Lise Moorveld <lise_moorveld () yahoo com>]

If you follow these steps:

> #-Go to
> http://target/smf/index.php?action=pm;sa=send
> #-Inster your xss code for the recipient or BCC
> #-Press send.

The code will be injected in the page that is returned
to the attacker. No Personal Message containing
malicious code will be send to anybody, because the
user "<script>evil</script>" does not exist...

So I guess one would exploit this by luring a target
user into clicking a link similar to this:

http://target/smf/index.php?action=pm;sa=send2;bcc=";<iframe>";to="test";subject=test;message=test

However, the page that is returned when you follow
that link gives the following error:
"Your session timed out while posting. Please try to
re-submit your message."

It turns out SMF does some checks before accepting a
POST for a PM, amongst them the session and the
referer. Also, the form to compose a new PM appears to
submit some random sequence number. So it seems to me
that, to be able to create a malicious URL, the
attacker needs to be aware of the target user's
session ID and PM sequence number already. In which
case an XSS attack wouldn't add much more.

Please correct me if I'm wrong.

Lise

--- Advisory () aria-security net wrote:

> #Aria-Security Team
> #http://Aria-Security.com
> #Type:Remote Cross-Site Scripting
> #Article on XSS: http://aria-security.net/xss.rar
> #Discovered By Aria-Security Team
> #Tested on SMF 1.1 RC3
> #
> #Explanation:
> #
> #-First of all user must be REGISTERED
> #-Go to
> http://target/smf/index.php?action=pm;sa=send
> #-Inster your xss code for the recipient or BCC
> #-Press send.
>
>
>
> Original Advisory:
> http://aria-security.com/forum/showthread.php?p=128


 
____________________________________________________________________________________
Any questions? Get answers on any topic at www.Answers.yahoo.com.  Try it now.