SMF 1.1.19 and 2.0.6 critical security patches released

Started by Illori, October 21, 2013, 10:18:01 AM

Previous topic - Next topic

Arantor

No, the main install and upgrade packages should have 2.0.6 because the file changed in 2.0.6. We did modify the master packages but the mirrors will need resyncing to include that one too.

The version list pushed by this site may actually be wrong because I think it pulls from the list of files in the internal repo, need to check on that.

fear_the_squirrels

Quote from: Arantor on October 27, 2013, 01:57:43 PM
No, the main install and upgrade packages should have 2.0.6 because the file changed in 2.0.6. We did modify the master packages but the mirrors will need resyncing to include that one too.

The version list pushed by this site may actually be wrong because I think it pulls from the list of files in the internal repo, need to check on that.

It looks like all the changes int eh change log were applied aside from the @version 2.0.6 one.  I'll just apply that by hand.  Thanks for your help!

-Chris

Arantor

Yeah, that's the only one that was missed, and we have been dealing with it. ;)

wwwserfer

Quote from: Arantor on October 27, 2013, 12:52:31 PM
Yeah, the problem is that there are suspicious looking strings inside your GIF file and SMF's automated protection routines stop them. All I did (since I'm the one that did the patch for 1.1) was have 1.1 brought up to what 2.0 has done for years.

Get Photoshop to strip the rubbish that shouldn't even be in the file in the first place.

Thanks for the answer! all cleared up now =)

margarett

Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

Kindred

and please note that this thread is NOT for support...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."



HauntIT

Nice, buts its still vulnerable :*

(Read the mail from few minutes ago to [email protected], there is more details).

Cheers
o/

Arantor

I saw your email.

I'm actually a bit annoyed because saying "hey I found a vulnerability" doesn't help anyone actually fix it. Please provide full details (either to [email protected] or to the security report page) rather than saying you found a vulnerability and waiting for an email to see if we're interested or not - because we're *always* interested to hear about issues so we can patch them!

HauntIT

Cool ;)

Give me few minutes and I will send you raw copy/paste traffic from burp.
All done 10 minutes ago, so if you want some help/information about patch, I must see the code.

Cheers
o/

Arantor

Email received and investigating, thank you :)

Re being annoyed... we take security very seriously and someone emailing saying 'hey, I've got a vuln, are you interested' just provokes more emails and more discussion than necessary ;)


One thing I will add up front: board names/descriptions and censored words accepting unsanitised raw HTML is not going to be patched in 2.0 because some admins are relying on this bad behaviour for formatting. It gets reported pretty much every time and pretty much every time we declare we can't fix it in 2.0 for the same reason.

HauntIT

Ok... so 'for admin' we have 'only 5 new' ;)

Ok Arantor. Like I said, if I will find anything new, I will send you more detailed email asap.

Have a nice day!

o/

Arantor

First up, thanks :) Any report is better than no report, even if it turns out to be a damp squib.

Secondly, yup, these all require admin permissions to exploit, which automatically makes them slightly less of an issue - but no less necessary to fix. It just means we don't need to rush it out 'right now' in a practical sense (if not an idealistic one)

Admin and XSS is an interesting problem to solve, because all of the exploits are, yes, problems. But in comparison to other things you can do as an admin, it's almost a non-issue. Admins can edit the raw PHP templates themselves, directly from the admin panel - which is a far greater security issue in practice. But no-one seems to actually consider the intentional editing of raw PHP - and thus *total XSS vector* - of such. We have, as far as I know, never received a report that this could be exploited... but of course it can, with no more difficulty than almost every normal XSS vector.

The real concerns are the ones in the database, of course, because they don't have to run the gamut of file permissions.

There are plenty of other practical issues that can't be solved any time soon like the vulnerability of uploading a new theme (which is raw PHP)... and new modifications (which are raw PHP) but curiously no-one ever seems to consider these *vulnerabilities*.

Dijboy


kerso

Hi guys,

Is there any problem on Subs-Members.php on 2.06 patch? It still says 2.0.1 as version but an update looks like required on version control panel, I'll be glad to get comment about this issue, am i wrong?

Thanks,
kerso.

Arantor

There's nothing wrong with the 2.0.6 patch, the patch does it just fine.

The problem is with the main install file/large upgrade package where they didn't get the updated version number.

Campanule

You have done great again - thank you very, very much  :D


Kolya


Advertisement: