Simple Machines 2.0.2 Multiple HTML Injection Vulnerabilities

ID EDB-ID:37505
Type exploitdb
Reporter Benjamin Kunz Mejri
Modified 2012-07-16T00:00:00


Simple Machines 2.0.2 Multiple HTML Injection Vulnerabilities. Webapps exploit for php platform


Simple Machines is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.

Simple Machines Forum 2.0.2 is vulnerable; other versions may also be affected. 

Proof of Concept:
The persistent input validation vulnerability can be exploited by remote attacker with local low privileged user account & low required 
user inter action. For demonstration or reproduce ...

Review: Package Manager > Download New Packages > FTP Information Required (Listing)

<input size="30" name="ftp_server" id="ftp_server" type="text"><[PERSISTENT SCRIPT CODE]' <"="" class="input_text">
<label for="ftp_port">Port: </label> 
<input type="text" size="3" name="ftp_port" id="ftp_port" value="21" 
class="input_text" />

... or

<input size="50" name="ftp_path" id="ftp_path" value="public_html/demo/smf " 
type="text"><[PERSISTENT SCRIPT CODE])' <"="" style="width: 99%;" class="input_text">
<div class="righttext">


Review: Smiley Sets > Add

<tr class="windowbg" id="list_smiley_set_list_0">
<td style="text-align: center;"></td>
<td class="windowbg">Akyhne's Set</td>
<td class="windowbg">"><[PERSISTENT SCRIPT CODE]' <="" <strong="">


Review: Newsletter > Add

<input name="email_force" value="0" type="hidden">
<input name="total_emails" value="1" type="hidden">
<input name="max_id_member" value="13" type="hidden">
<input name="groups" value="0,1,2,3" type="hidden">
<input name="exclude_groups" value="0,1,2,3" type="hidden">
<input name="members" value="" type="hidden">
<input name="exclude_members" value="" type="hidden">
<input name="emails" value="" type="hidden"><[PERSISTENT SCRIPT CODE])' <"="">
  <br class="clear" />


Review: Edit Membergroups & User/Groups Listing

<h3 class="catbg">Edit Membergroup - "><[PERSISTENT SCRIPT CODE])' <"=""><[PERSISTENT SCRIPT CODE]) <"
<div class="windowbg2">
<span class="topslice"><span></span></span>