Possible issue with smfapi...

[Glyph]

I recently discovered a pretty big possible issue with the SMFAPI today...

I'm not sure it's considered an "exploit" it's more of a possible oversight - i'm also not sure how the programming model is supposed to be with API's but i'm pretty sure it shouldn't allow for arbitrary administrator password changes...

If anyone could point me in the right direction to get Andre's attention i'de appreciate it. (his website appears to be down)

This is in regards to the SMF 2.0 API - There appears to be an if statement that shouldn't allow for this but in my case it does. I think more unit testing should be done... if someone trusted to SMF would like to check this out i'de be happy to send you the details.


Not sure if this is better suited for bug reports on account of this not technically being a core issue.

[Illori]

i am pretty sure andre is not around any longer given the last time he logged in. if you consider it a security issue feel free to report it as such to our security form and since he made the api BSD licensed we can look into getting it modified. otherwise you can post the details here and we can take it from there.

http://www.simplemachines.org/about/smf/security.php

[Glyph]

I went ahead and submitted a report, thank you!