Home / exploits SMF 2.0.4 Cross Site Scripting
Posted on 16 September 2013
Please assign 2013 CVE for SMF vulnerabilities, thanks. Fixes at least XSS issues. No reply from vendor when I asked if there is CVE(s) assigned already. Advisory: http://www.simplemachines.org/community/index.php?topic=509417 Diff: http://custom.simplemachines.org/upgrades/index.php?action=upgrade;file=smf_patch_2.0.5.tar.gz;smf_version=2.0.4 Other references: http://osvdb.org/96323 http://secunia.com/advisories/54384/ ./Sources/ManageServer.php Operation #1 Find: [Select] '~$txt['lang_character_set']s=s('|")[^ ]+~' => '$txt['lang_character_set'] = '' . addslashes($_POST['character_set']) . '';', '~$txt['lang_locale']s=s('|")[^ ]+~' => '$txt['lang_locale'] = '' . addslashes($_POST['locale']) . '';', '~$txt['lang_dictionary']s=s('|")[^ ]+~' => '$txt['lang_dictionary'] = '' . addslashes($_POST['dictionary']) . '';', '~$txt['lang_spelling']s=s('|")[^ ]+~' => '$txt['lang_spelling'] = '' . addslashes($_POST['spelling']) . '';', Replace With: [Select] '~$txt['lang_character_set']s=s('|")[^ ]+~' => '$txt['lang_character_set'] = '' . preg_replace('~[^w-]~i', '', $_POST['character_set']) . '';', '~$txt['lang_locale']s=s('|")[^ ]+~' => '$txt['lang_locale'] = '' . preg_replace('~[^w-]~i', '', $_POST['locale']) . '';', '~$txt['lang_dictionary']s=s('|")[^ ]+~' => '$txt['lang_dictionary'] = '' . preg_replace('~[^w-]~i', '', $_POST['dictionary']) . '';', '~$txt['lang_spelling']s=s('|")[^ ]+~' => '$txt['lang_spelling'] = '' . preg_replace('~[^w-]~i', '', $_POST['spelling']) . '';', ./Sources/PersonalMessage.php Operation #1 Find: [Select] if (!isset($_REQUEST['sa']) || !isset($subActions[$_REQUEST['sa']])) MessageFolder(); Replace With: [Select] if (!isset($_REQUEST['sa']) || !isset($subActions[$_REQUEST['sa']])) { $_REQUEST['sa'] = ''; MessageFolder(); }
