Content Spoofing Bug

[nimafanniasl]

Hi! please look at this page:
https://www.simplemachines.org/community/index.php?action=helpadmin;help=Content%20Spoofing%20Bug
SMF Has This Bug, Anybody can Write Anything On This Page & This Is Dangerous.
I Tested That Bug In This Forum: Iranians Ubuntu Forum and SMF Community Forum And In Both Forums That Bug Works.

[Aleksi "Lex" Kilpinen]

Thank you for the report!
#7444

[Arantor]

I'm not sure what risk you think this is, though. On a forum anyone can post anything...

If this were exploitable to add JS I'd agree, but it's not. Also, note that this page is always shown in a pop up that can't be triggered by the user themselves (there's no way to create that pop up in a post)

[Kindred]

Yeah, Arantor's comment fits my belief as well.

[m4z]

The user might trust the site.

(I didn't manage to inject HTML tags, but I didn't try for long...)

[Arantor]

If you're going to build a link, you could trivially enough make any other link to any other site that looks *more* convincing.

I'm not sure this is actually as effective an argument for content spoofing as is being suggested.

[Chief of Nothing]

If this were exploitable to add JS I'd agree, but it's not.

Actually it is, but true not in the scenario given here. It would take a rogue theme and hoping no one notices or or another injection vulnerability to be exploitable.

[Arantor]

Not sure that's a valid argument either. It's vulnerable if the theme is vulnerable? Well... um... yes but also no?

If your argument is that such a thing is contingent on a rogue mod or theme, well... yes? If you have a rogue element in the system you are at risk. That was always true and will be true until the end of time.

Similarly if the argument is "it's vulnerable if something else makes it vulnerable" is also... um... yes for every single software product ever?

In this specific case, SMF's core applies protections. If the theme has gone rogue to undo those protections... well yes, it's vulnerable. But so too would *literally any place user input could be handled* if your criteria is "if the theme is changed" because you can always change what is output that way. And for a forum, that implies a really large attack surface of "the point of the site" rather than a side feature that isn't really the headache being assumed here.

If you happen to look at the bug report though, I did suggest it should be fixed, noting that at one time this behaviour was not merely intentional but actively used and since deprecated. I don't *think* anything still relies on it but this needs checking.

[Chief of Nothing]

I wasn't arguing, just pointing out that the popup is actually exploitable to add JS but not in the way the OP does with URL manipulation. Your post read to me at the time (I've since re-read it, I completely missed the context), that exploiting the popup with JS can't be done at all, which isn't correct.

Anyway, to exploit the popup, or the rest of the forum actually (tested) with a rogue theme would likely be a highly targeted attack, and then you've probably got other problems. But.... does anyone check submitted themes and mods? I'll bet at least 99% of theme and mod users don't.

[Arantor]

No, the context for my statement was that you can't inject JS into the pop up using the method of the OP. I tried. But I also looked at the code involved.

Themes and mods are reviewed by the SMF team on first submission. I don't remember any theme changing the help pop up template though.

I should add, such targeted attacks have been known in the wild, I've investigated a few. But there are better vectors for such things depending on exactly what your end game is.

[Sesquipedalian]

While this poses no direct risk to the security of the forum itself, it could indeed be used for phishing attacks against users. We will close off this possibility in a future patch to SMF.

[Sesquipedalian]

Fix submitted in #7446. Currently marked for inclusion in SMF 2.1.3.

[nimafanniasl]

Thanks!

[shawnb61]

Fixed in 2.1.3.