Anti-CSRF Filter Bypass SMF 2.0 / 1.1.14Anti-CSRF Filter Bypass SMF 2.0 / 1.1.14
Summary
The [img] BBCode tag anti-CSRF filter can be bypassed due to incorrect parsing of the 'action' variable, because of this it is possible to execute CSRF successfully.
Description
Software: Simple Machines Forum (SMF)
Versions: SMF 1.1.14 - 2.0
Publication date: 2011-08-23
Impact: Cross Site Request Forgery
Solution: N/A (Vendor informed)
Websec-id: ws11-15
When a user posts a URL as the source of an [img] tag and it seems malicious, SMF tries to avoid execution of the action parameter by replacing the string "action=something" with
"action-something".
If a user makes a specially crafted URL by adding to the end of the variable name a null-byte (%00), the filter is successfully circumvented and CSRF can be achieved.
POC
Remove user 102 from the buddy list (SMF 1.1.14):
[img]http://example.com/index.php?sa=editBuddies;remove=102;action%00=profile[/img]
Logout (SMF 2.0):
[img]http://example.com/community/index.php?action%00=logout;token[/img]
Christian Yerena
cyerena [ at ] websec [ dot ] mx
TWITTER
FACEBOOK
SUBSCRIBE
EMAIL US