Simple Machines forum (SMF) 2.0 session hijacking
Found by The X-C3LL and seth
http://0verl0ad.blogspot.com/ || http://xd-blog.com.ar/
2011-08-06
Website: http://www.simplemachines.org/
Greets: yoyahack, eddyw, www.portalhacker.net
SMF stops csrf attacks sending a session token in all the requests wich make changes to the forum.
Usually, it goes in the POST content but when navigating the moderation zone it's present in the url (you need to click the links from inside that zone!). In some places, an attacker can use bbcode to insert a ![]()
tag, forcing the browser to make a request and leak the token in the referer header.
There are two ways for an attacker to place a image:
-Writing in the moderators chat (?action=moderate), requires being a moderator.
-Making a post and reporting it to the moderator (it will be send to all the section mods and the global mods, who will see it in ?action=moderate;area=reports)
Removing lines 104 and 105 from Subs-Menu.php seems to solve the problem and nothing stops working (!):
/////////////////////////////////////////////////////
if (empty($menuOptions['disable_url_session_check']))
$menu_context['extra_parameters'] .= ';' . $context['session_var'] . '=' . $context['session_id'];
/////////////////////////////////////////////////////
PoC exploit wich gives admin privileges to the regular members:
/////////////////////////////////////////////////////
';
?>