Medium August 23, 2011
Anti-CSRF Filter Bypass SMF 2.0 / 1.1.14
The [img] BBCode tag anti-CSRF filter can be bypassed due to incorrect parsing of the 'action' variable, because of this it is possible to execute CSRF successfully.
CVSS Score
4.3 / 10.0
Severity
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Advisory
| Software | Simple Machines Forum (SMF) |
| Versions | SMF 1.1.14 - 2.0 |
| Impact | Cross-Site Request Forgery via BBCode image tag |
| Websec Advisory | WS11-15 |
Description
When a user posts a URL inside an [img] BBCode tag and the URL contains an action= parameter, SMF's anti-CSRF filter rewrites action=something to action-something to block the request.
Appending a null byte (%00) to the end of the variable name bypasses the substitution, and the request executes as-is. The resulting image tag triggers a CSRF against any viewer of the post.
Remediation
Upgrade SMF to a release where the [img] BBCode filter handles null bytes correctly.