Advisory Name : SMF SIZE Tag Script Injection Vulnerability Release Date : May 3,2004 Application : Simple Machines Test On : SMF 1.0 Beta 5 Public Vendor URL : http://www.simplemachines.org/ Discover : Cheng Peng Su(apple_soup_at_msn.com)
Intro: The team that has brought you YaBB SE has moved on to develop the next evolution in forum software, Simple Machines Forum(SMF). They have rebranded themselves under the name Simple Machines.They said proudly that "SMF is a next-generation community software package and is jam-packed with features, while at the same time having a minimal impact on resources."
Proof of conecpt: SMF doesn't filter scripting code strictly in the [size] tags, in other words,they forget to filter ()+ characters.Attacker can use the expression() syntax to set an malicious expression on font-size attribute.The code below is available.
Just beginning
but if you start complex code,you will know that some characters (such as quote,apostrophe and semicolon) are filtered by SMF, but I found an available way without quote,apostrophe or semicolon, you will know this way from the Exploit below.
Exploit: First,submit specially content like below
Big Exploit
'41' in the content means the length of the malicious scripting. If the URL of the Topic above is
