SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Simple Machines Forum "SMF Shoutbox" Mod Persistent XSS


Arrow  SecurityAlert : 3651
Arrow  CVE : CVE-2008-0775
Arrow  SecurityRisk : Low  Security Risk Low  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Available : Yes
Arrow  Credit : enterth3dragon
Arrow  Published : 14.02.2008

Arrow  Affected Software : Simple Machines Forum "SMF Shoutbox"



Arrow  Advisory Content :  

Simple Machines Forum "SMF Shoutbox" Mod 1.16b-1.14

Reference: http://custom.simplemachines.org/mods/index.php?mod=412

Bug:Persistent XSS

SMF Shoutbox is a popular shoutbox mod for Simple Machines Forum.The
content of a post variable used to hold the user shout is stored in the
database and then displayed to the visitors without being properly
filtered.So we can insert HTML or Javascript code in the database which is
then displayed in the shoutbox (which is usually at the index page of the
forum).

Note:the content of this variable is also stored in an html file
(sbox.history.html)residing in the main folder where SMF is installed so it
is possible to insert and then execute php code under some server
configurations.

Vulnerable versions: 1.16b down to 1.14

Search Engines query: "powered by smf 1.1" "SMF Shoutbox"

Vuln code

-In sboxDB.php

function missinghtmlentities() fails to sanitize

input passed to the shoutbox form

Exploit

All we have to do is pass to the shoutbox form a string starting with '&#'
and ending with ';'

Most sites configuration doesnt enable guest visitors to post comments so
you should create an account and login in order to exploit.SMF Shoutbox is
usually in the index page of the forum so you could easily exploit this
issue to collect Admins and user cookies,hijack sessions,etc

Pass this string to the shoutbox

&#<script>alert(String.fromCharCode(88,83,83))</script>;

If successful every visitor of the page should see an alert saying 'XSS'

Note:

We can inject php code but the output file (sbox.history.html)has an .html
extension so in order for the code to execute the server must be configured
to parse .html files for php code which is not the default configuration.






Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...
Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration
PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass
Copyright © SecurityReason.com. All Rights Reserved.