[2.0.12] persistent cross site scripting possible in field board description

that-can-forum · November 03, 2016, 04:21:40 AM

The content in the text area desc on side area=manageboards is not validated or filtered correctly (especially chars < and "). With that you can do a CSS-attack to all users of a forum.

Illori · November 03, 2016, 05:06:31 AM

in SMF 2.1, you can no longer use html in that field. that should resolve this issue.

Arantor · November 03, 2016, 07:08:54 AM

Quote from: that-can-forum on November 03, 2016, 04:21:40 AM
The content in the text area desc on side area=manageboards is not validated or filtered correctly (especially chars < and "). With that you can do a CSS-attack to all users of a forum.

If you have that, you're probably already an admin and can XSS anyone all the time anyway. But yes, this was a known issue and is resolved in 2.1 but can't be fixed in 2.0 because users use that feature for broad descriptions that aren't just text.

News:

[2.0.12] persistent cross site scripting possible in field board description

that-can-forum

Illori

Arantor