Persistent XSS for admin logged in (SMF 2.0.3)

[HauntIT]

Hi SMF Forum

few days ago I found persistent xss in latest SMF (2.0.3).

I sent this information to you (via few members) but here I decide to write a post about it too, so few more of 'us' can check 'our' sites again.

I found this xss when I was looking for information disclosure bug, so here we have 2 in 1

Anyway:

1. path disclo:

POST /smf/index.php?action=admin;area=languages HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: hxxp:localhost/ [nonactive]/smf/index.php?action=admin;area=languages;e40cc27c34=5cc6f6e4f2c986b0fcff043a4c8d012f
(...)
Content-Type: application/x-www-form-urlencoded
Content-Length: 136
Connection: close

def_language=<here we can 'escape' from JavaScript <script> and add stored XSS>&e40cc27c34=xxx&set_default=Save&e40cc27c34=xxx

RESP:
HTTP/1.1 200 OK
Date: Mon, 07 Jan 2013 22:36:15 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.4
(...)
Content-Type: text/html
Content-Length: 145



<br />
<b>Parse error</b>:  syntax error, unexpected $end in <b>/home/kuba/public_html/smf/Settings.php</b> on line <b>14</b><br />

Let me know if you need any help with this.

Cheers,
Jakub

[Tony Reid]

Looks like they are looking for the 2.0.2 xss bug - upgrade to 2.0.3 if you haven't already.

[emanuele]

That's another one.
It will be patched.

Though it's not particularly dangerous because the parameter is accepted only from POST and it's an admin-only section of the forum (and if the POST comes from a different site it should be detected by checkSession as usual and stopped before anything happens).

[emanuele]

Fixed in 2.0.4

[HauntIT]

Hi emanuele,
ad.:

(...)
Though it's not particularly dangerous because the parameter is accepted only from POST and it's an admin-only section of the forum (and if the POST comes from a different site it should be detected by checkSession as usual and stopped before anything happens).

I'm not so sure.

Think about an idea, when this 'for admin only'-vulnerability will be exploited in a situation,
when admin (of SMF) is currently logged-in ('admin panel'), and he's 'traveling' other sites,
in other browser-tabs. What if at one 'evil' page at his tabs, he will 'execute' some CSRF-payload
(for example like 'add admin user' or something like that' ) ?

I know that this post is quite old, but someone sent me link again

Anyway, emanuele, my point is that it is always a 'good practice' to think
about patching all possible vulnerabilities. Chain is week, where...?

So... I'm glad that this is fixed, like you said! Good job.

Currently I'm busy because of few projects, anyway I will check next ('current') version

If I will find anything - I will send you details more privately first.
If you want to talk or ask anything, just send me an e-mail. I will answer ASAP.

Once again, good job for the fix!

Have a nice day!

Regards,
J.

[emanuele]

Think about an idea, when this 'for admin only'-vulnerability will be exploited in a situation,
when admin (of SMF) is currently logged-in ('admin panel'), and he's 'traveling' other sites,
in other browser-tabs. What if at one 'evil' page at his tabs, he will 'execute' some CSRF-payload
(for example like 'add admin user' or something like that' ) ?

Because your hypothesis already happened and was the main issue patched with 2.0.3.
checkSession in certain situations was unable to detect data POSTed from other sites (i.e CRSF attacks) and was even exploited before the patch.

Anyway, emanuele, my point is that it is always a 'good practice' to think
about patching all possible vulnerabilities. Chain is week, where...?

Didn't say anything different, just trying to define priorities and level of risk.

If I will find anything - I will send you details more privately first.

Please use the security report form:
http://www.simplemachines.org/about/security.php

Once again, good job for the fix!

Thanks for the report!