Bugtraq mailing list archives

SMF "index.php?action=pm" Cross Site-Scripting

From: Advisory () aria-security net
Date: 20 Jan 2007 08:06:08 -0000

#Aria-Security Team
#http://Aria-Security.com
#Type:Remote Cross-Site Scripting
#Article on XSS: http://aria-security.net/xss.rar
#Discovered By Aria-Security Team
#Tested on SMF 1.1 RC3
#
#Explanation:
#
#-First of all user must be REGISTERED
#-Go to http://target/smf/index.php?action=pm;sa=send
#-Inster your xss code for the recipient or BCC
#-Press send.



Original Advisory:
http://aria-security.com/forum/showthread.php?p=128

Current thread:

SMF "index.php?action=pm" Cross Site-Scripting Advisory (Jan 20)
- Re: SMF "index.php?action=pm" Cross Site-Scripting Lise Moorveld (Jan 26)
- <Possible follow-ups>
- Re: SMF "index.php?action=pm" Cross Site-Scripting lfx4sodas (Jan 22)
- Re: Re: SMF "index.php?action=pm" Cross Site-Scripting alexbove (Jan 22)
- Re: Re: Re: SMF "index.php?action=pm" Cross Site-Scripting Outlaw (Jan 23)
- Re: Re: Re: Re: SMF "index.php?action=pm" Cross Site-Scripting sirdarckcat (Jan 26)