News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

SMF 1.1.6 Remote Code Execution Exploit

Started by osjak, November 05, 2008, 07:53:47 AM

Previous topic - Next topic

osjak

Quote from: yaax on November 06, 2008, 02:31:53 PM
In php you have three kinds of magic_quotes - which one need to be ON?
You have:
magic_quotes_gpc
magic_quotes_runtime
magic_quotes_sybase

I have magic_quotes_gpc as ON, but not sure regarding all others.

This is what I have:


admin@www1:~$ grep 'magic_quotes' /etc/php5/apache2/php.ini
magic_quotes_gpc = On
magic_quotes_runtime = Off
magic_quotes_sybase = Off


This settings seemed to prevent the exploit. I'm not an expert though, so take this with a grain of salt. I also implemented the advise from n3rve several posts above.

metallica48423, thank you for keeping us updated!

青山 素子

#21
The magic_quotes_gpc setting should be the only one you need on.

I tested both exploits, and the package manager one doesn't work as advertised (you need to modify it a bit to get it working), but the theme one does work easily.

Note that 2.0 is not currently affected by either exploit as they are currently. So, at this point, 2.0b4 is unaffected. After working on the 1.1 issues, we will investigate the same areas in 2.0 to make sure they don't have a similar issue.

Edit: Also, the main funciton being used in the exploits to actually run things is passthru(). SMF doesn't use this function, so you can try disabling it in PHP if you have the access to do so. It won't stop the exploit, but should make it harder to get a payload running.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


N3RVE

Quote from: osjak on November 06, 2008, 02:18:10 PM
Can we also ask that there will be instructions on how to update code manually? My sites are modified too heavily to be updated  conventional way.

There is a topic in the Install and Upgrade Help board where the Manual instructions are posted, I'll update the topic shortly after the release.

-[n3rve]
Ralph "[n3rve]" Otowo
Former Marketing Co-ordinator, Simple Machines.
ralph [at] simplemachines [dot] org                       
Quote"Somewhere, something incredible is waiting to be known." - Carl Sagan

D M G

Thanks to the team for addressing this so quickly. Also, thank you for not pandering to fearmongers like osjak who don't follow the rules for submitting vulnerabilities.

osjak

Quote from: D M G on November 07, 2008, 08:18:53 PM
Thanks to the team for addressing this so quickly. Also, thank you for not pandering to fearmongers like osjak who don't follow the rules for submitting vulnerabilities.

Fearmongers??? Let me remind you this is the only topic where this issue has been addressed by SMF team for everyone's (yours also) benefit. May be you don't care about your site's security but I certainly appreciate those suggestions from n3rve that helped everyone to wait for the release of 1.1.7 without losing their websites.

D M G

Laughable. Really. Don't tell me what I know and don't know about securing my site.

You could have handled this easily by informing the proper people, they even have a handy form to do so. Instead you came on here yelling and making those who don't know a whole lot except how to login to their board and not much else panic and fluster. It's pretty ignorant.



osjak

I'm sorry for getting you into panic mode. My intent was to get information on how to secure SMF for myself and to those ho care. If you don't care, you may laugh all you want, up until the point when your website is taken out by a script kiddie.

D M G

Oh I didn't panic, you're deliberately misreading me but I'd expect that from someone of your calibre.


metallica48423

Guys, please take this out of these boards.  we have a policy of respect and fairness here.

Nobody's right or wrong.  This topic was not the first nor the last notification we got on the issue so fortunately it was already under ways when this came up.

The important thing is key -- we need to know about these things to fix them.
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

QuoteMicrosoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"


Useful Links:
Online Manual!
How to Help us Help you
Search
Settings Repair Tool

palofdru

Quote from: D M G on November 07, 2008, 08:18:53 PM
Thanks to the team for addressing this so quickly. Also, thank you for not pandering to fearmongers like osjak who don't follow the rules for submitting vulnerabilities.
^^ :( typical.

"User who raised legitimate concern attacked by "rabid fanboy".


SMF, as a commercial enterprise, zealously guards it's reputation, sometimes I think, at the expense of transparency and openness.

Regarding osjak's post,  I'm not a fan of posting direct links to exploits, without additional narrative, primarily because the risk is not 'exposing exploits to hackers whom may already be aware of them' but rather disseminating hacker info to disgruntled forum members who have been banned, disciplined or are just plain "idle hands assholes"

However, I would have hoped that when news of the exploit was first released, SMF gave the exploit a bit more coverage, say on the front page.

ie.
and immediately and prominently pointing to the initial work around, to be implemented in the immediate hours before a sanctioned update is available.

There is something creepily Orwellian with the 'disappearing' of posts, almost as if we are more concerned with perception management and not security. Heck, I'm not asking nor even expecting SMF to be totally secure! The  current White House is as paranoid and closed as they come, and even they got hacked, so yeah, sh*t happens, but dont cover it up, missquote/missrepresent and downplay issues.
My best suggestion to you is that you do whatever you feel like doing, for whatever reason you choose to make, without any required explanation nor justification. You probably will, so hop to it!

boo hoo!

Advertisement: