XSS Vulnerabilities in Forum Software

ShadeSpeed · April 10, 2015, 10:07:20 AM

Hello,

I've found a rather serious XSS vulnerability in the forum software that is being used at totalminerforums dot net

Please contact me for more details (as I figured it'd be wise not to post the vulnerability on here).

Thanks,

Dan.

E-mail removed to stop you from being targeted by spammers - Iris.

Suki · April 10, 2015, 10:10:03 AM

Hi there, would you like to fill out a security report? http://www.simplemachines.org/about/smf/security.php and we will gladly take a look at it.

Thanks.

ShadeSpeed · April 10, 2015, 10:30:58 AM

Thanks, I've just submitted a report.

Dan.

margarett · April 10, 2015, 10:38:23 AM

Thank you for the submission.

What you reported can't be done in a "vanilla" SMF install, so it's not really a vulnerability.
The owners of said forum chose to allow that possibility (through a MOD or custom coding), probably unaware of the consequences.

Since you are registered to said forum, I would suggest you to contact one of the administrators in private and explain that to them.

ShadeSpeed · April 10, 2015, 10:47:45 AM

I have contacted the only administrator, and they referred me to here.

I will refer them to this topic.

Thanks,

Dan.

News:

XSS Vulnerabilities in Forum Software

ShadeSpeed

Suki

ShadeSpeed

margarett

ShadeSpeed