Text only | Text with Images

Simple Machines Community Forum

SMF Development => Bug Reports => Fixed or Bogus Bugs => Topic started by: maher84 on July 29, 2014, 02:26:11 PM

Title: Vulnerability
Post by: maher84 on July 29, 2014, 02:26:11 PM
Hello

What's about the vulnerability I reported 2 days ago for SMF 2.0.8 ?
Title: Re: Vulnerability
Post by: Illori on July 29, 2014, 02:32:47 PM
you want an update? if it is to be fixed it will be included in the next patch for 2.0 branch. usually the dev team does not reach out to those that report issues unless they need more information.
Title: Re: Vulnerability
Post by: maher84 on July 29, 2014, 02:41:27 PM
I Don't need an update, i patched it myself. But all of you SMF users need to patch it also

I thought SMF team would answer to me because it's a critical flaw

and there is more to come..

Regards
Title: Re: Vulnerability
Post by: Arantor on July 29, 2014, 02:46:11 PM
The team is normally fairly prompt with dealing with vulnerabilities.

However, there are areas in SMF currently that have what are classified as XSS flaws that have been reported before and decided as 'will not fix' in the 2.0 branch because they are actively used by some users for unexpected side effects. The normal one is the board description for including raw HTML but there are other cases I'm aware of.

If it's admin-only, it's generally not considered so serious anyway because you still need to exploit an admin account and if you already did that, there are far more serious things you can do than merely exploit an XSS hole anyway. The theme editor, for example, is an XSS hole in itself, only it's worse because it allows for editing raw PHP and everyone seems to forget this is an XSS hole by design.
Title: Re: Vulnerability
Post by: Kindred on July 29, 2014, 06:49:41 PM
it is hardly a "critical flaw" and it is "amins only" which you already noted in your report.

It possibly will be patched in the next release, but there is little chance of this affecting anyone in real life, since - if the hacker has admin access, he can already do anything he wants.
Title: Re: Vulnerability
Post by: Arantor on July 29, 2014, 07:03:33 PM
I hope you're not making the same argument about the one I raised a short while ago? Even though that's admins only, the one I raised is potentially more serious than an XSS in an admin form.
Title: Re: Vulnerability
Post by: Kindred on July 29, 2014, 09:03:35 PM
No Arantor, as potentially unlikely as I find yours to be, they are real...   Well, this one is real too... But anyway... 2.0.9 is being worked on... We just don't want to make the same mistakes that happened in 2.0.8 release,
Title: Re: Vulnerability
Post by: Arantor on July 30, 2014, 03:11:59 AM
Please don't say 'unlikely'. Unlikely things have a nasty habit of being abused in a malicious context. It should be noted that after the initial wave of 'pah, not a serious issue', one night while drunk I considered demonstrating it, but only a sense of ethics and a minor desire not to be permabanned from here stopped me.
Text only | Text with Images