If you follow these steps: > #-Go to > http://target/smf/index.php?action=pm;sa=send > #-Inster your xss code for the recipient or BCC > #-Press send. The code will be injected in the page that is returned to the attacker. No Personal Message containing malicious code will be send to anybody, because the user "<script>evil</script>" does not exist... So I guess one would exploit this by luring a target user into clicking a link similar to this: http://target/smf/index.php?action=pm;sa=send2;bcc=";<iframe>";to="test";subject=test;message=test However, the page that is returned when you follow that link gives the following error: "Your session timed out while posting. Please try to re-submit your message." It turns out SMF does some checks before accepting a POST for a PM, amongst them the session and the referer. Also, the form to compose a new PM appears to submit some random sequence number. So it seems to me that, to be able to create a malicious URL, the attacker needs to be aware of the target user's session ID and PM sequence number already. In which case an XSS attack wouldn't add much more. Please correct me if I'm wrong. Lise --- Advisory@xxxxxxxxxxxxxxxxx wrote: > #Aria-Security Team > #http://Aria-Security.com > #Type:Remote Cross-Site Scripting > #Article on XSS: http://aria-security.net/xss.rar > #Discovered By Aria-Security Team > #Tested on SMF 1.1 RC3 > # > #Explanation: > # > #-First of all user must be REGISTERED > #-Go to > http://target/smf/index.php?action=pm;sa=send > #-Inster your xss code for the recipient or BCC > #-Press send. > > > > Original Advisory: > http://aria-security.com/forum/showthread.php?p=128 > ____________________________________________________________________________________ Any questions? Get answers on any topic at www.Answers.yahoo.com. Try it now.
