Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5242F42A.3090003@moritz-naumann.com>
Date: Wed, 25 Sep 2013 14:33:14 +0000
From: Moritz Naumann <security@...itz-naumann.com>
To: oss-security@...ts.openwall.com, kseifried@...hat.com
CC: security@...plemachines.org
Subject: Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5
 - multiple vulnerabilities

On 24.09.2013 14:17 +0000, Henri Salo wrote:
> On Mon, Sep 16, 2013 at 07:23:52PM -0600, Kurt Seifried wrote:
>> Can you provide a summary of the diff? thanks.
[..]
> XSS in index.php?action=admin;area=manageboards;sa=newboard;cat=1 "board_name"
> Requires admin account
> PoC: "><BODY ONLOAD=alert('XSS')>
> Verified in 2.0.4
> Not fixed in 2.0.5
> 
> SMF guys, this CSRF should help to verify this issue. Can you fix this in next
> release? Contact me in case you need help.
> 
[..]

This CSRF doesn't work for me on two 2.0.4 installations I tested on.
Both return
  Unable to verify referring url. Please go back and try again.

There seems to be a CSRF protection in this hidden form field:
  <input type="hidden" name="e2b8c5b3437"
value="bdcc798a0a86fa141da538f7c3a6ec42" />

So this doesn't seem exploitable this way (but it also doesn't make the
XSS bug vanish in the haze, either).

To clarify, I'm a SMF user (and independent tester) not affiliated with
the SMF developers.

Moritz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.