Anti-CSRF Filter Bypass SMF 2.0 / 1.1.14
The [img] BBCode tag anti-CSRF filter can be bypassed due to incorrect parsing of the 'action' variable, because of this it is possible to execute CSRF successfully.
Software: Simple Machines Forum (SMF)
Versions: SMF 1.1.14 - 2.0
Publication date: 2011-08-23
Impact: Cross Site Request Forgery
Solution: N/A (Vendor informed)
When a user posts a URL as the source of an [img] tag and it seems malicious, SMF tries to avoid execution of the action parameter by replacing the string "action=something" with "action-something".
If a user makes a specially crafted URL by adding to the end of the variable name a null-byte (%00), the filter is successfully circumvented and CSRF can be achieved.
Remove user 102 from the buddy list (SMF 1.1.14):
Logout (SMF 2.0):
cyerena [ at ] websec [ dot ] mx