http :// server/ smf/ index.php?action=reminder;sa=setpassword;u=1;code=0eb3d1f811
discussed already. bogus, doesn't work.
i tryed it myself
its working
Doesn't work. You will get an error when you fill out the form saying bad code
I'd like to get verification from an Admin that this is nothing to worry about.
If this is true, it could be very harmful.
http://www.exploit-db.com/exploits/14045/
To fix temporarily, while waiting for a real fix or an "All Clear" from SMF Admins...I just disabled password reminders...You can basically rename/delete Reminder.php in the sources folder.
It is nothing to worry about. This does not work at all there are checks in place and the change code is randomly generated. You can try it on your own test board/forum it will not do anything
so your stating that the exploit would not work. These issues are what cause people to lose faith. BTW if i wanted as of right now i would be able to gain admin privilege here.
for those whim may be skeptic of this issue please look again. you right a simple copy past will not work with this your going to receive user does not exist however changing this string by a bit will allow you to gain admin right. It's sad that defacement have to happen for this to be patched.
That doesn'twork for me too. I get an User does not exist error message.
it working or not working whatever
but it asking for new pass that means something is wrong in coding.. thts it
plz patch it asap :-)
Quote from: azorot on June 29, 2010, 05:45:55 AM
for those whim may be skeptic of this issue please look again. you right a simple copy past will not work with this your going to receive user does not exist however changing this string by a bit will allow you to gain admin right. It's sad that defacement have to happen for this to be patched.
you will have as much luck as if you guess the password itself. maybe little bit more. until someone proves this works, it's just bull.
Quote from: yashpatel on June 29, 2010, 11:18:48 AM
it working or not working whatever
but it asking for new pass that means something is wrong in coding.. thts it
plz patch it asap :-)
No reason to panic or spread one. If there is no security risk then there is no rush to act immediatley on it.
Yes, you can make it bring up the change password screen.
But, the change password screen doesn't work, it gives a user does not exist message every time.
This is nothing to worry about.
Can someone please move this topic to Bogus Bugs? Thank you
Quote from: tj007s13 on June 26, 2010, 03:10:27 PM
http://www.exploit-db.com/exploits/14045/
It seems this was removed from the exploit-db as well ;)
Quote from: live627 on July 14, 2010, 12:06:50 AM
Can someone please move this topic to Bogus Bugs? Thank you
Sure thing.