SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Simple Machines Forum "SMF Shoutbox" Mod Persistent XSS


Arrow  SecurityAlert : 3651
Arrow  CVE : CVE-2008-0775
Arrow  SecurityRisk : Low  Security Risk Low  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Available : Yes
Arrow  Credit : enterth3dragon
Arrow  Published : 14.02.2008

Arrow  Affected Software : Simple Machines Forum "SMF Shoutbox"



Arrow  Advisory Content :  

Simple Machines Forum "SMF Shoutbox" Mod 1.16b-1.14

Reference: http://custom.simplemachines.org/mods/index.php?mod=412

Bug:Persistent XSS

SMF Shoutbox is a popular shoutbox mod for Simple Machines Forum.The
content of a post variable used to hold the user shout is stored in the
database and then displayed to the visitors without being properly
filtered.So we can insert HTML or Javascript code in the database which is
then displayed in the shoutbox (which is usually at the index page of the
forum).

Note:the content of this variable is also stored in an html file
(sbox.history.html)residing in the main folder where SMF is installed so it
is possible to insert and then execute php code under some server
configurations.

Vulnerable versions: 1.16b down to 1.14

Search Engines query: "powered by smf 1.1" "SMF Shoutbox"

Vuln code

-In sboxDB.php

function missinghtmlentities() fails to sanitize

input passed to the shoutbox form

Exploit

All we have to do is pass to the shoutbox form a string starting with '&#'
and ending with ';'

Most sites configuration doesnt enable guest visitors to post comments so
you should create an account and login in order to exploit.SMF Shoutbox is
usually in the index page of the forum so you could easily exploit this
issue to collect Admins and user cookies,hijack sessions,etc

Pass this string to the shoutbox

&#<script>alert(String.fromCharCode(88,83,83))</script>;

If successful every visitor of the page should see an alert saying 'XSS'

Note:

We can inject php code but the output file (sbox.history.html)has an .html
extension so in order for the code to execute the server must be configured
to parse .html files for php code which is not the default configuration.






Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server
Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability
PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
ADT

Protect your family and valuables with Home Security Systems
Copyright © SecurityReason.com. All Rights Reserved.