*Summary:*
--------------
A security flaw allows an attacker to know the full path of the web system.
*Details:
-----------
SSI.php Line 294:
// Fetch a post with a particular ID. By default will only show if you have
permission to the see the board in question - this can be overriden.
function ssi_fetchPosts($post_ids, $override_permissions = false,
$output_method = 'echo')
{
$post_id is not defined. Possible fix: ($post_id = '')
*PoC:
-------
http://example.com/forumpath/SSI.php?ssi_function=fetchPosts
*Google Dorks:
---------------------
inurl:?index.php?action=help
*Demos:
-----------
http://simpleportal.net/SSI.php?ssi_function=fetchPosts
http://www.furgovw.org/SSI.php?ssi_function=fetchPosts
http://www.teachmideast.com/forum_old/SSI.php?ssi_function=fetchPosts
http://www.slowracing.com/jaxfox/SSI.php?ssi_function=fetchPosts
http://www.iptv2you.com/board/SSI.php?ssi_function=fetchPosts
http://voceteopr.com/SSI.php?ssi_function=fetchPosts
http://www.thesilverball.com/SSI.php?ssi_function=fetchPosts
http://othforums.com/SSI.php?ssi_function=fetchPosts
http://www.skinmod.eu/SSI.php?ssi_function=fetchPosts
Temporal Solution:
---------------------
SSI.php line 45:
$ssi_error_reporting = error_reporting(defined('E_STRICT') ? E_ALL | E_STRICT : E_ALL);
Replace:
$ssi_error_reporting = error_reporting(0);
Functions afected:
-----------------------
. fetchMember
. fetchPosts
. fetchGroupMembers
. queryMembers
Source:
--------
http://whk.drawcoders.net/index.php/topic,2792.0.html
Mirrors:
-------------------------
http://seclists.org/fulldisclosure/2013/Jan/14
http://packetstormsecurity.com/files/119240/smf-disclose.txt
http://cxsecurity.com/issue/WLB-2013010025
https://foro.elhacker.net/nivel_web/path_disclusore_en_simplemachines_forum_203-t379876.0.html
It's not just fetchPosts that will cause this, actually. fetchMember, fetchGroupMembers, queryMembers are all vulnerable to this same bug.
If it wasn't for the fact that voting via SSI requires the query-via-HTTP function, I'd suggest disabling that entirely.
Confirmed the second one allows reading any file. Seems to only return the first part of the file seems to be a limit of how much data it will take form the file. 20 lines but you can read other parts of the file using the line number if passed.
Yes...
http://test.con/forum/index.php?action=...&line=37
to read MySQL Password of SimpleMachines.
Hello,
I just checked and is strange, but on one server I couldn't read paths, but on other server where I have few SMF boards they was affected to this.
It could be possible that this hack depends from server configuration? (php.ini, my.ini etc.)
Think you'll find a lot of this depends on having admin rights.
Not that there isn't an issue - because there is - but since it's not just open to everyone and everything, it's not the issue it might be.
Quote from: Nolt on January 10, 2013, 05:05:50 PM
Hello,
I just checked and is strange, but on one server I couldn't read paths, but on other server where I have few SMF boards they was affected to this.
It could be possible that this hack depends from server configuration? (php.ini, my.ini etc.)
Hi SMF Forum ;)
This is my first post here, anyway:
Nolt: yes, this could depends of php.ini settings. Check if you have enable parameters like: register_globals, display_errors, and html_errors, etc and disable them. Then your errors should not be presented anymore. ('For debug' you can set +w to some file at your server and then send your logs there, but be carefull here too, because somewhere in your webapp-code could be LFI bug, and there you will be owned. ;) )
Best regards,
Jakub
Fixed in 2.0.4