Simple Machines Forum 1.1.11 Change Admin Password

Started by yashpatel, June 26, 2010, 02:32:37 PM

Previous topic - Next topic

yashpatel

http :// server/ smf/ index.php?action=reminder;sa=setpassword;u=1;code=0eb3d1f811



vbgamer45

Doesn't work. You will get an error when you fill out the form saying bad code
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

tj007s13

I'd like to get verification from an Admin that this is nothing to worry about.

If this is true, it could be very harmful.

http://www.exploit-db.com/exploits/14045/ [nofollow]

To fix temporarily, while waiting for a real fix or an "All Clear" from SMF Admins...I just disabled password reminders...You can basically rename/delete Reminder.php in the sources folder.

vbgamer45

It is nothing to worry about. This does not work at all there are checks in place and the change code is randomly generated. You can try it on your own test board/forum it will not do anything
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

azorot

so your stating that the exploit would not work. These issues are what cause people to lose faith. BTW if i wanted as of right now i would be able to gain admin privilege here.


for those whim may be skeptic of this issue please look again. you right a simple copy past will not work with this your going to receive user does not exist however changing this string by a bit will allow you to gain admin right. It's sad that defacement have to happen for this to be patched.


cicka

That doesn'twork for me too. I get an User does not exist error message.

yashpatel

it working or not working whatever
but it asking for new pass that means something is wrong in coding.. thts it
plz patch it asap :-)

flapjack

Quote from: azorot on June 29, 2010, 05:45:55 AM
for those whim may be skeptic of this issue please look again. you right a simple copy past will not work with this your going to receive user does not exist however changing this string by a bit will allow you to gain admin right. It's sad that defacement have to happen for this to be patched.
you will have as much luck as if you guess the password itself. maybe little bit more. until someone proves this works, it's just bull.

cicka

Quote from: yashpatel on June 29, 2010, 11:18:48 AM
it working or not working whatever
but it asking for new pass that means something is wrong in coding.. thts it
plz patch it asap :-)

No reason to panic or spread one. If there is no security risk then there is no rush to act immediatley on it.

gamesmad

Yes, you can make it bring up the change password screen.

But, the change password screen doesn't work, it gives a user does not exist message every time.

This is nothing to worry about.
1 on 1 SMF Help - Want 1 on 1 SMF Help? Post in Help Wanted or drop me a message!

Go Charter! - Please consider becoming a charter member to support SMF development.

Please do not PM me with general questions, posting in the appropriate board will ensure everyone benefits from the advice given.

live627

Can someone please move this topic to Bogus Bugs? Thank you

Aleksi "Lex" Kilpinen

Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Acans

"The Book of Arantor, 17:3-5
  And I said unto him, thy database query shalt always be sent by the messenger of $smcFunc
  And $smcFunc shall protect you against injections and evil
  And so it came to pass that mysql_query was declared deprecated and even though he says he is not
  dead yet, the time was soon to come to pass when mysql_query shall be gone and no more

Advertisement: