2.0.11 exploit? - sup3rm4n ownz you

[EL34]

I have my own windows cloud server and my SMF forum is installed on that server
I have two of my web sites on this server and no one else has access to my server

On December 11th 2016,  I notice a file in the main directory called super.txt that had a file date of November 29 2016, 4:16am
The file was on the same domain that I have my SMF forum installed on

The contents of the text file super.txt was this
sup3rm4n ownz you

So somehow, someone  was able to upload this text file to my cloud server
I started a support ticket at my cloud server host and they tried to figure out how this was done
They did security scans and some updates in the last week while my business was closed for the holidays
They found info that this may have been a windows server exploit

Just today they came back and said this happened via an exploit by my SMF forum

At the time the file was uploaded, my forum was still at 2.0.11
I did not notice that 2.0.12 was available until December 2nd and that is when I updated my forum to 2.0.12

So my question is this

Are my cloud server host just blowing smoke because that can't find the real way this was done?
Was there really a way someone could upload a text file to my root directory via SMF 2.011?

[Kindred]

Ummm... they said a "windows server exploit"?

If so, then it doesn't appear to be an smf issue, but rather, an issue with how their server is configured...

Although 2.0.12 did include soem security patches, I don't believe that any of the patches involved anything that was particularly severe, most of the reported issues these days involve someone already having admin access...

So, a windows exploit is like a doctor saying, You had an infection...  there are thousands of bacteria strains that can result in an infection and thousands of ways in which one could have been exposed...   further details from your host re necesarry.

[EL34]

The windows server exploit was their first response as to how it happened

Now today they say it was a SMF exploit

That's why I was asking here to find out if such an exploit existed in 2.0.11

Sounds like my cloud host are just grabbing at straws

BTW, no one has admin access to my SMF forum except me and I use password managers to create complex passwords
The first thing I did after finding the uploaded file was to change my FTP password
There has been no further activity since the file upload on november 29th

[Kindred]

"it was an smf exploit" - the excuse of the lazy host.

While it could be true that there is an undiscovered issue - as of 2.0.12, we have patched all known issues... and even the 2.0.12 patch was to fix some ones in the admin section, IIRC (which means that you needed admin access in the first place)

By looking at the logs for Nov 28 and 29, a decent host SHOULD be able to tell you what vector and command line the attacker used, even if they can't determine the exact code issue.

[Colin]

Thanks for the report. As Kindred mentioned, nothing in 2.0.12 would have fixed this if it was indeed SMF. We haven't heard from anyone else of this sort of exploit. Can you ask your host what led them to believe SMF was the vector?