https://www.exploit-db.com/exploits/24082
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200405-041

SimpleMachinesForum(SMF)1.0版本存在跨站脚本漏洞。远程攻击者借助size标签注入任意web脚本。

source: http://www.securityfocus.com/bid/10281/info

It has been reported that Simple Machines Forum (SMF) may be prone to an HTML injection vulnerability that may allow an attacker to execute arbitrary HTML or script code in a user's browser. The issue exists due to insufficient sanitization of user-supplied input via the font size attribute.

Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible.

An attacker could reportedly post content to the forums containing:

[size=expression(alert(document.cookie))]Content[/size]

With the limit that the forum software filters out quotes, apostrophes and semicolons.

Another method that circumvents the software filtering would be to post content such as:

[size=expression(eval(unescape(document.URL.substring(document.URL.length-34,document.URL.length))))]Content[/size]

then get the victim to follow:

http://www.example.com/index.php?topic=12345.0&alert('cookie:n'+document.cookie)

Where the '12345.0' is the topic containing the previously posted content. The victim's browser would execute the last 34 characters (as specified in the previously posted 'length-34' content).

来源:XF
名称:smf-size-html-injection(16067)
链接:http://xforce.iss.net/xforce/xfdb/16067
来源:BID
名称:10281
链接:http://www.securityfocus.com/bid/10281
来源:BUGTRAQ
名称:20040505SMFSIZETagScriptInjectionVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108377364615934&w;=2