Simple Machines Community Forum

SMF Development => Bug Reports => Fixed or Bogus Bugs => Topic started by: yashpatel on June 26, 2010, 02:32:37 PM

Title: Simple Machines Forum 1.1.11 Change Admin Password
Post by: yashpatel on June 26, 2010, 02:32:37 PM
http :// server/ smf/ index.php?action=reminder;sa=setpassword;u=1;code=0eb3d1f811
Title: Re: Simple Machines Forum 1.1.11 Change Admin Password
Post by: flapjack on June 26, 2010, 02:33:24 PM
discussed already. bogus, doesn't work.
Title: Re: Simple Machines Forum 1.1.11 Change Admin Password
Post by: yashpatel on June 26, 2010, 02:35:07 PM
i tryed it myself
its working
Title: Re: Simple Machines Forum 1.1.11 Change Admin Password
Post by: vbgamer45 on June 26, 2010, 02:37:01 PM
Doesn't work. You will get an error when you fill out the form saying bad code
Title: Re: Simple Machines Forum 1.1.11 Change Admin Password
Post by: tj007s13 on June 26, 2010, 03:10:27 PM
I'd like to get verification from an Admin that this is nothing to worry about.

If this is true, it could be very harmful.

http://www.exploit-db.com/exploits/14045/

To fix temporarily, while waiting for a real fix or an "All Clear" from SMF Admins...I just disabled password reminders...You can basically rename/delete Reminder.php in the sources folder.
Title: Re: Simple Machines Forum 1.1.11 Change Admin Password
Post by: vbgamer45 on June 26, 2010, 03:17:18 PM
It is nothing to worry about. This does not work at all there are checks in place and the change code is randomly generated. You can try it on your own test board/forum it will not do anything
Title: Re: Simple Machines Forum 1.1.11 Change Admin Password
Post by: azorot on June 29, 2010, 05:45:55 AM
so your stating that the exploit would not work. These issues are what cause people to lose faith. BTW if i wanted as of right now i would be able to gain admin privilege here.


for those whim may be skeptic of this issue please look again. you right a simple copy past will not work with this your going to receive user does not exist however changing this string by a bit will allow you to gain admin right. It's sad that defacement have to happen for this to be patched.

Title: Re: Simple Machines Forum 1.1.11 Change Admin Password
Post by: cicka on June 29, 2010, 06:27:57 AM
That doesn'twork for me too. I get an User does not exist error message.
Title: Re: Simple Machines Forum 1.1.11 Change Admin Password
Post by: yashpatel on June 29, 2010, 11:18:48 AM
it working or not working whatever
but it asking for new pass that means something is wrong in coding.. thts it
plz patch it asap :-)
Title: Re: Simple Machines Forum 1.1.11 Change Admin Password
Post by: flapjack on June 29, 2010, 11:34:33 AM
Quote from: azorot on June 29, 2010, 05:45:55 AM
for those whim may be skeptic of this issue please look again. you right a simple copy past will not work with this your going to receive user does not exist however changing this string by a bit will allow you to gain admin right. It's sad that defacement have to happen for this to be patched.
you will have as much luck as if you guess the password itself. maybe little bit more. until someone proves this works, it's just bull.
Title: Re: Simple Machines Forum 1.1.11 Change Admin Password
Post by: cicka on June 29, 2010, 11:40:34 AM
Quote from: yashpatel on June 29, 2010, 11:18:48 AM
it working or not working whatever
but it asking for new pass that means something is wrong in coding.. thts it
plz patch it asap :-)

No reason to panic or spread one. If there is no security risk then there is no rush to act immediatley on it.
Title: Re: Simple Machines Forum 1.1.11 Change Admin Password
Post by: gamesmad on July 01, 2010, 03:15:22 PM
Yes, you can make it bring up the change password screen.

But, the change password screen doesn't work, it gives a user does not exist message every time.

This is nothing to worry about.
Title: Re: Simple Machines Forum 1.1.11 Change Admin Password
Post by: live627 on July 14, 2010, 12:06:50 AM
Can someone please move this topic to Bogus Bugs? Thank you
Title: Re: Simple Machines Forum 1.1.11 Change Admin Password
Post by: Aleksi "Lex" Kilpinen on July 14, 2010, 03:35:23 AM
Quote from: tj007s13 on June 26, 2010, 03:10:27 PM
http://www.exploit-db.com/exploits/14045/
It seems this was removed from the exploit-db as well ;)
Title: Re: Simple Machines Forum 1.1.11 Change Admin Password
Post by: Acans on July 14, 2010, 06:15:48 AM
Quote from: live627 on July 14, 2010, 12:06:50 AM
Can someone please move this topic to Bogus Bugs? Thank you

Sure thing.