oss-sec mailing list archives

Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities

From: Moritz Naumann <security () moritz-naumann com>
Date: Wed, 25 Sep 2013 14:33:14 +0000

On 24.09.2013 14:17 +0000, Henri Salo wrote:

On Mon, Sep 16, 2013 at 07:23:52PM -0600, Kurt Seifried wrote:

Can you provide a summary of the diff? thanks.

[..]

XSS in index.php?action=admin;area=manageboards;sa=newboard;cat=1 "board_name"
Requires admin account
PoC: "><BODY ONLOAD=alert('XSS')>
Verified in 2.0.4
Not fixed in 2.0.5

SMF guys, this CSRF should help to verify this issue. Can you fix this in next
release? Contact me in case you need help.

[..]

This CSRF doesn't work for me on two 2.0.4 installations I tested on.
Both return
  Unable to verify referring url. Please go back and try again.

There seems to be a CSRF protection in this hidden form field:
  <input type="hidden" name="e2b8c5b3437"
value="bdcc798a0a86fa141da538f7c3a6ec42" />

So this doesn't seem exploitable this way (but it also doesn't make the
XSS bug vanish in the haze, either).

To clarify, I'm a SMF user (and independent tester) not affiliated with
the SMF developers.

Moritz

Current thread:

CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Henri Salo (Sep 15)
- Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Kurt Seifried (Sep 16)
  - Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Henri Salo (Sep 24)
    - Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Moritz Naumann (Sep 25)
    - Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Henri Salo (Sep 25)
    - Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Kurt Seifried (Sep 25)
    - Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Henri Salo (Sep 25)