SMF Support > SMF 2.0.x Support

suspected vulnerabilities in 2.0.2

<< < (2/2)

Arantor:
Oh, not this again.

It is not exactly a vulnerability in that the people producing such reports didn't actually do anything much to produce it, they just hammered the same script through every page in SMF in the hopes of finding something.

It is a vulnerability of sorts in that there is content that is not thoroughly vetted - and whether it should be is another entirely.

(I would note this is the second time this has been posted here. The first time was a couple of weeks ago and moved to the developers' board.)

If this is such a reputable firm conducting tests, why did they not apprise the team of the vulnerability ahead of time, as would be the correct, reputable thing to do?


--- Quote from: Kindred on July 25, 2012, 11:26:09 AM ---well, it confirmed that - in order to do the things indicated in this report, you must already have access to the admin section.
the report does NOT indicate any way to bypass the admin check or to break into the admin account.

--- End quote ---

The real point is that the report author believes there is an issue that could be escalated to admin account compromise through XSS or similar but since you already have to be an admin anyway it sort of renders it a bit mute - it's a vulnerability that requires a compromised system in order to exploit it

Takfly:

--- Quote from: Kindred on July 25, 2012, 11:06:48 AM ---not because it's not true... but because in order to take advantage of it, the person needs to already have access to the admin section...  and if you have full access to the admin section, you already have access to ALL of the users' data and the ability to upload packages - so this "injection" complaint is really kinda silly.

--- End quote ---

I guess what I'm asking is, what are the chances of this causing me a massive headache further down the line, but I can see where you are right.

All of the modules described in the vulnerability PoC are only accessible with sufficient privileges to negate the effort required to perform a successful exploit..

I suppose the only way it could be a threat if non-standard privileges were assigned to a "demi-admin" group.

Thanks Again

Takfly

Kindred:
Well, come on... I mean, if you give someone access to the admin features, you had darned well better trust them - same as giving someone access to your server.  :)

This is like saying "I gave someone FTP access and they uploaded a backdoor and compromised my entire server, but it's an exploit because they weren't supposed to do that"
lol!
Seriously...   if someone has access to your package manager, then they can literally upload ANYTHING to your forum install...  as long as it is parsed correctly. (same thing goes for any software which allows the upload of modules or other packages)

Navigation

[0] Message Index

[*] Previous page