Advertisement:

Author Topic: Simple Machines Forum 1.1.11 Change Admin Password  (Read 13657 times)

Offline yashpatel

  • Newbie
  • *
  • Posts: 4
Simple Machines Forum 1.1.11 Change Admin Password
« on: June 26, 2010, 02:32:37 PM »
http :// server/ smf/ index.php?action=reminder;sa=setpassword;u=1;code=0eb3d1f811
« Last Edit: June 28, 2010, 02:46:12 PM by (F.L.A.M.E.R) »

Offline flapjack

  • SMF Hero
  • ******
  • Posts: 2,615
  • Gender: Male
  • I pity the fools!
Re: Simple Machines Forum 1.1.11 Change Admin Password
« Reply #1 on: June 26, 2010, 02:33:24 PM »
discussed already. bogus, doesn't work.

Offline yashpatel

  • Newbie
  • *
  • Posts: 4
Re: Simple Machines Forum 1.1.11 Change Admin Password
« Reply #2 on: June 26, 2010, 02:35:07 PM »
i tryed it myself
its working

Offline vbgamer45

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 20,573
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: Simple Machines Forum 1.1.11 Change Admin Password
« Reply #3 on: June 26, 2010, 02:37:01 PM »
Doesn't work. You will get an error when you fill out the form saying bad code
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Offline tj007s13

  • Semi-Newbie
  • *
  • Posts: 17
Re: Simple Machines Forum 1.1.11 Change Admin Password
« Reply #4 on: June 26, 2010, 03:10:27 PM »
I'd like to get verification from an Admin that this is nothing to worry about.

If this is true, it could be very harmful.

http://www.exploit-db.com/exploits/14045/ [nofollow]

To fix temporarily, while waiting for a real fix or an "All Clear" from SMF Admins...I just disabled password reminders...You can basically rename/delete Reminder.php in the sources folder.

Offline vbgamer45

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 20,573
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: Simple Machines Forum 1.1.11 Change Admin Password
« Reply #5 on: June 26, 2010, 03:17:18 PM »
It is nothing to worry about. This does not work at all there are checks in place and the change code is randomly generated. You can try it on your own test board/forum it will not do anything
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Offline azorot

  • Newbie
  • *
  • Posts: 1
Re: Simple Machines Forum 1.1.11 Change Admin Password
« Reply #6 on: June 29, 2010, 05:45:55 AM »
so your stating that the exploit would not work. These issues are what cause people to lose faith. BTW if i wanted as of right now i would be able to gain admin privilege here.


for those whim may be skeptic of this issue please look again. you right a simple copy past will not work with this your going to receive user does not exist however changing this string by a bit will allow you to gain admin right. It's sad that defacement have to happen for this to be patched.


Offline cicka

  • Sophist Member
  • *****
  • Posts: 1,280
  • Gender: Female
Re: Simple Machines Forum 1.1.11 Change Admin Password
« Reply #7 on: June 29, 2010, 06:27:57 AM »
That doesn'twork for me too. I get an User does not exist error message.

Offline yashpatel

  • Newbie
  • *
  • Posts: 4
Re: Simple Machines Forum 1.1.11 Change Admin Password
« Reply #8 on: June 29, 2010, 11:18:48 AM »
it working or not working whatever
but it asking for new pass that means something is wrong in coding.. thts it
plz patch it asap :-)

Offline flapjack

  • SMF Hero
  • ******
  • Posts: 2,615
  • Gender: Male
  • I pity the fools!
Re: Simple Machines Forum 1.1.11 Change Admin Password
« Reply #9 on: June 29, 2010, 11:34:33 AM »
for those whim may be skeptic of this issue please look again. you right a simple copy past will not work with this your going to receive user does not exist however changing this string by a bit will allow you to gain admin right. It's sad that defacement have to happen for this to be patched.
you will have as much luck as if you guess the password itself. maybe little bit more. until someone proves this works, it's just bull.

Offline cicka

  • Sophist Member
  • *****
  • Posts: 1,280
  • Gender: Female
Re: Simple Machines Forum 1.1.11 Change Admin Password
« Reply #10 on: June 29, 2010, 11:40:34 AM »
it working or not working whatever
but it asking for new pass that means something is wrong in coding.. thts it
plz patch it asap :-)

No reason to panic or spread one. If there is no security risk then there is no rush to act immediatley on it.

Offline gamesmad

  • SMF Hero
  • ******
  • Posts: 1,667
  • Gender: Male
Re: Simple Machines Forum 1.1.11 Change Admin Password
« Reply #11 on: July 01, 2010, 03:15:22 PM »
Yes, you can make it bring up the change password screen.

But, the change password screen doesn't work, it gives a user does not exist message every time.

This is nothing to worry about.
1 on 1 SMF Help - Want 1 on 1 SMF Help? Post in Help Wanted or drop me a message!

Go Charter! - Please consider becoming a charter member to support SMF development.

Please do not PM me with general questions, posting in the appropriate board will ensure everyone benefits from the advice given.

Offline live627

  • Developer
  • SMF Hero
  • *
  • Posts: 5,377
  • Gender: Male
    • live627 on Facebook
    • live627 on GitHub
    • live627 on LinkedIn
    • @live627 on Twitter
    • livemods
Re: Simple Machines Forum 1.1.11 Change Admin Password
« Reply #12 on: July 14, 2010, 12:06:50 AM »
Can someone please move this topic to Bogus Bugs? Thank you
Try not to become a man of success, but rather try to become a man of value.
- Albert Einstein

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 17,490
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • aleksi-kilpinen on LinkedIn
Re: Simple Machines Forum 1.1.11 Change Admin Password
« Reply #13 on: July 14, 2010, 03:35:23 AM »
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.

How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline ѕησω

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 3,428
  • Gender: Male
  • Nisi credideritis, non intelligetis.
    • wade.poulsen93 on Facebook
    • acans on GitHub
    • https://www.linkedin.com/profile/view?id=145186638 on LinkedIn
    • @imacans on Twitter
    • Acans
Re: Simple Machines Forum 1.1.11 Change Admin Password
« Reply #14 on: July 14, 2010, 06:15:48 AM »
Can someone please move this topic to Bogus Bugs? Thank you

Sure thing.
"The Book of Arantor, 17:3-5
  And I said unto him, thy database query shalt always be sent by the messenger of $smcFunc
  And $smcFunc shall protect you against injections and evil
  And so it came to pass that mysql_query was declared deprecated and even though he says he is not dead yet, the time was soon to come to pass when mysql_query shall be gone and no more."