Don't fool yourself into a false sense of security. SMF v2.0.2 has many vulnerabilities.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerabilities are located in the package manager, smiley sets, newsletter and edit members or groups with the vulnerable bound post parameters local path url, username, url, emails & title. Exploitation requires low user inter action & privileged application user account. Successful exploitation of the vulnerability can lead to session hijacking (admin/mod/user) or stable (persistent) manipulation of the web application context.
Package Manager > Download New Packages > FTP Information Required (Listing)
<dd>
<input size="30" name="ftp_server" id="ftp_server" type="text"><[PERSISTENT SCRIPT CODE]' <"="" class="input_text">
<label for="ftp_port">Port: </label>
<input type="text" size="3" name="ftp_port" id="ftp_port" value="21"
class="input_text">
URL:
http://127.0.0.1:133...5f26c102fff9626
Smiley Sets > Add
<tr class="windowbg" id="list_smiley_set_list_0">
<td style="text-align: center;"></td>
<td class="windowbg">Akyhne's Set</td>
<td class="windowbg">"><[PERSISTENT SCRIPT CODE]' <="" <strong="">
akyhne</strong>/...</td>
Review: Newsletter > Add
<input name="email_force" value="0" type="hidden">
<input name="total_emails" value="1" type="hidden">
<input name="max_id_member" value="13" type="hidden">
<input name="groups" value="0,1,2,3" type="hidden">
<input name="exclude_groups" value="0,1,2,3" type="hidden">
<input name="members" value="" type="hidden">
<input name="exclude_members" value="" type="hidden">
<input name="emails" value="" type="hidden"><[PERSISTENT SCRIPT CODE])' <"="">
</form>
</div>
<br class="clear">
</div>
Edit Membergroups & User/Groups Listing
<h3 class="catbg">Edit Membergroup - "><[PERSISTENT SCRIPT CODE])' <"=""><[PERSISTENT SCRIPT CODE]) <"
><ifram
</h3>
</div>
<div class="windowbg2">
<span class="topslice"><span></span></span>
