bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/24082.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

21 lines
No EOL
1.2 KiB
Text
Raw Blame History

source: https://www.securityfocus.com/bid/10281/info
It has been reported that Simple Machines Forum (SMF) may be prone to an HTML injection vulnerability that may allow an attacker to execute arbitrary HTML or script code in a user's browser. The issue exists due to insufficient sanitization of user-supplied input via the font size attribute.
Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible.
An attacker could reportedly post content to the forums containing:
[size=expression(alert(document.cookie))]Content[/size]
With the limit that the forum software filters out quotes, apostrophes and semicolons.
Another method that circumvents the software filtering would be to post content such as:
[size=expression(eval(unescape(document.URL.substring(document.URL.length-34,document.URL.length))))]Content[/size]
then get the victim to follow:
http://www.example.com/index.php?topic=12345.0&alert('cookie:\n'+document.cookie)
Where the '12345.0' is the topic containing the previously posted content. The victim's browser would execute the last 34 characters (as specified in the previously posted 'length-34' content).
Reference in a new issue View git blame Copy permalink