SMF 2.0.4 and 1.1.18 critical security patches released

Started by emanuele, February 01, 2013, 05:26:51 PM

Previous topic - Next topic

NekoJonez

Question: is it safe to remove the 2.0.3 patch from the package manager after the 2.0.4 patch is installed?
Retro video game blogger, writer, actor, podcaster and general amazing dude.

Twitter
My Blog

mashby

Quote from: JonezJeA on May 02, 2013, 06:15:19 AM
Question: is it safe to remove the 2.0.3 patch from the package manager after the 2.0.4 patch is installed?
Yes. :)
Always be a little kinder than necessary.
- James M. Barrie

Arantor

NO IT IS NOT.

You can *delete* the patch provided you do NOT uninstall it. (Deleting the package will just remove the uninstall instructions. If you uninstall it, the vulnerabilities will be returned, regardless of whether the 2.0.4 patch is installed or not)

NekoJonez

Quote from: Arantor on May 02, 2013, 06:55:38 AM
NO IT IS NOT.

You can *delete* the patch provided you do NOT uninstall it. (Deleting the package will just remove the uninstall instructions. If you uninstall it, the vulnerabilities will be returned, regardless of whether the 2.0.4 patch is installed or not)

I won't uninstall it :P
I'm not one of those idiots x)
Retro video game blogger, writer, actor, podcaster and general amazing dude.

Twitter
My Blog

mashby

Always be a little kinder than necessary.
- James M. Barrie

Arantor

We should not be blasé about this.

How often do we tell people not to delete things but to uninstall them first? This happens... what... once a week that we have to deal with someone who's deleted a mod without uninstalling.

mashby

Yes, for that I am sorry. Wasn't clear enough. At least JonezJeA understood remove wasn't uninstall.
Always be a little kinder than necessary.
- James M. Barrie

pacefalu

I am new to managing a website forum.  I am using version SMF 2.0.4 and I am trying to down load and install the patches...  I have gone to the down load area but can not find where the security patches are and how to down load and install...  I only see third party updates...  Is there a button I can press that will simply down load and install my security patches...

All so I am getting the "Unable to verify referring url. Please go back and try again." error message and I have search your community and have been told about the url values have to match exactly...  How do I check this information and how do I correct it...  I have been through all of the options in the admin area...  I would like to apologize for the newbie requests, but I am at the end of my rope.


Gary

You're running 2.0.4, you do not need to update.
Gary M. Gadsdon
Do NOT PM me unless I say so
War of the Simpsons
Bongo Comics Fan Forum
Youtube Let's Plays

^ YT is changing monetisation policy, help reach 1000 sub threshold.


Arantor

*yawn* Not this one AGAIN.

Quoteto successfully exploit smf 2.0.4 we need correct admin's cookie

As in, if they already have your admin details, shock horror they can break things. If they don't have your admin details, nothing can be done to cause any damage.

zlotowinfo

what you mean "have your admin details" & how he can get?

Arantor

In order for this to be exploited, the hacker must either 1) have managed to grab your session details or 2) have figured out your password.

Having obtained session or password, he can log in as you, and do whatever he was going to do anyway, like install mods, install themes, modify theme code... all things that carry the exact same 'risk' as that vulnerability.

The dev team are aware of this and are well aware of the low risk of it.

Burke ♞ Knight

Quote from: Arantor on May 26, 2013, 06:28:04 PM
2) have figured out your password.


That is why you should always use at least 8 characters in your passwords. Also, you should use a mixture of characters, as well as making it a habit to change your password every now and then. That should be more than enough to prevent something like that from happening.

emanuele



Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.


Colin

Thanks for the nice words. I am glad everything is working for both of you.
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

krittin98

i am using smf 2.0.4
can any1 tll me from where can i download this

The Team K Developers
www.theteamk.co.nr

Kindred

if you are using 2.0.4, you do not need to download anything.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

DamselStruction

Hello,

Thank you in advance for any assistance you may be able to provide.

The admin panel identifies my current version as 1.1.17

I have always listened to the reminders about updates in my admin panel, but just recently my board started to function badly and at the same time I recieved a reminder about "Updating my forum". This has never been a problem in the past, but this time, when I click on the link to ["Update your forum" it only takes a few minutes!"] it will not update, but instad always displays this error -

2: unlink(C:\Inetpub\vhosts\damselstruction.ieasysite.com\httpdocs\Belly_Punching_and_Navel_Love/Packages/temp/$auto_0.txt) [<a href='function.unlink'>function.unlink</a>]: Permission denied
File: C:\Inetpub\vhosts\damselstruction.ieasysite.com\httpdocs\Belly_Punching_and_Navel_Love\Sources\Subs-Package.php
Line: 1174

The way the problem originally presented itself was that my "Stop Spammer" stop forum spam feature stopped working, when you check a list of spam accounts to delete, and try to "Reject" them, the same error appears and the operation will not complete.

Thanks,

Jim

Advertisement: