Advertisement:

Author Topic: Recent security issue reported  (Read 18640 times)

Offline emanuele

  • SMF Super Hero
  • *******
  • Posts: 14,156
  • Gender: Male
  • THERE'S JUST ME
Recent security issue reported
« on: May 16, 2013, 02:42:51 PM »
Recently an "exploit" has been reported, for example:
http://exploitsdownload.com/search/smf%202.0.4%20exploit/
http://packetstormsecurity.com/files/121391/SMF-2.0.4-PHP-Code-Injection.html

The core of the issue is in this comment:
Code: [Select]
// to successfully exploit smf 2.0.4 we need correct admin's cookie:Is it something annoying? Yes.
Is it a security issue? No.

It is no more dangerous than any other piece of the admin panel that allows admins to change any (writable) file on the server.

If a security issue that will need a release will be discovered, then it may be worth fix this unintended behaviour, otherwise a fix will be provided in the next version of SMF.


Take a peek at what I'm doing! ;D



Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,383
    • StoryBB/StoryBB on GitHub
Re: Recent security issue reported
« Reply #1 on: May 16, 2013, 02:45:13 PM »
Thanks for the official heads-up ;)
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Chalky

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 3,380
  • Gender: Female
  • If in doubt, give me beer...
    • ChalkCat
Re: Recent security issue reported
« Reply #2 on: May 16, 2013, 02:57:35 PM »
Thanks Emanuele  :)

Offline 4Kstore

  • SMF Hero
  • ******
  • Posts: 4,317
  • Gender: Male
    • agustintari on Facebook
    • @agustintarifa on Twitter
    • SSIMPLE TEAM PAGE
Re: Recent security issue reported
« Reply #3 on: May 16, 2013, 03:51:28 PM »
Glad to know it, thanks ema!
¡¡NEW MOD: Sparkles User Names!!!

kat

  • Guest
Re: Recent security issue reported
« Reply #4 on: May 16, 2013, 04:00:42 PM »
Nicely put, Manny. :)

Offline emanuele

  • SMF Super Hero
  • *******
  • Posts: 14,156
  • Gender: Male
  • THERE'S JUST ME
Re: Recent security issue reported
« Reply #5 on: May 16, 2013, 06:52:52 PM »
Thanks for the official heads-up ;)
I waited to see if someone else wanted to have his nick on a topic here but since everybody here around are shy I had to... :P


Take a peek at what I'm doing! ;D



Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Online Antes

  • Evil Black Cat
  • SMF Friend
  • SMF Hero
  • *
  • Posts: 8,942
  • Gender: Male
  • Black cat rulz!
    • Antes on GitHub
    • merta on LinkedIn
    • @XinYenFon on Twitter
    • WoWSnips
Re: Recent security issue reported
« Reply #6 on: May 17, 2013, 02:16:36 PM »
Thanks for the info :)

quick question: its not possible in 2.1 because of tokens right?
You can support me directly via Patreon

In Catnip We Trust.
The solution is Catnip!
Vote for Catnip!

Current Project(s): [ WoWSnips ]
Past Project(s): [ ezPortal ] # [ Lunarfall ] # [ RDD (HTML5) ]

Offline emanuele

  • SMF Super Hero
  • *******
  • Posts: 14,156
  • Gender: Male
  • THERE'S JUST ME
Re: Recent security issue reported
« Reply #7 on: May 17, 2013, 02:17:48 PM »
Tokens have nothing to do with that.
In 2.1 is still the same and should be fixed.


Take a peek at what I'm doing! ;D



Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,383
    • StoryBB/StoryBB on GitHub
Re: Recent security issue reported
« Reply #8 on: May 17, 2013, 02:20:11 PM »
I'm going to go out on a limb here and say: the tokens make precisely zero difference.

In fact, as I said elsewhere, I'm really not convinced tokens make any real difference at all.

OK, so the token prevents drive-by POSTs like this, sure. But all a hacker has to do is make two requests, not one, the first request to open the page in question (which gets them the token) and then submit that token straight back to carry out the actual malicious stuff.

It makes it *slightly* harder, the real protection is still the fact that you have to hijack an admin's session directly anyway.

I would love someone to show me what benefit tokens actually provide. (Especially since I can imagine mod authors not using them anyway.)
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.