About Simple Machines
- Contact Us
- Core Values
- Open Source
- Why free is better
- Simple Machines Members
- Simple Machines Blogs
Recent security issue reportedMay 16, 2013, 02:42:51 PM Posted by emanuele on May 16, 2013, 02:42:51 PM in Recent security issue reported | 8 CommentsRecently an "exploit" has been reported, for example:
The core of the issue is in this comment:
// to successfully exploit smf 2.0.4 we need correct admin's cookie:
Is it something annoying? Yes.
Is it a security issue? No.
It is no more dangerous than any other piece of the admin panel that allows admins to change any (writable) file on the server.
If a security issue that will need a release will be discovered, then it may be worth fix this unintended behaviour, otherwise a fix will be provided in the next version of SMF.
Arantor on May 16, 2013, 02:45:13 PM saidThanks for the official heads-up
Chalky on May 16, 2013, 02:57:35 PM saidThanks Emanuele
4Kstore on May 16, 2013, 03:51:28 PM saidGlad to know it, thanks ema!
kat on May 16, 2013, 04:00:42 PM saidNicely put, Manny.
emanuele on May 16, 2013, 06:52:52 PM said
Quote from: Arantor on May 16, 2013, 02:45:13 PMI waited to see if someone else wanted to have his nick on a topic here but since everybody here around are shy I had to...
Thanks for the official heads-up
Antes on May 17, 2013, 02:16:36 PM saidThanks for the info
quick question: its not possible in 2.1 because of tokens right?
emanuele on May 17, 2013, 02:17:48 PM saidTokens have nothing to do with that.
In 2.1 is still the same and should be fixed.
Arantor on May 17, 2013, 02:20:11 PM saidI'm going to go out on a limb here and say: the tokens make precisely zero difference.
In fact, as I said elsewhere, I'm really not convinced tokens make any real difference at all.
OK, so the token prevents drive-by POSTs like this, sure. But all a hacker has to do is make two requests, not one, the first request to open the page in question (which gets them the token) and then submit that token straight back to carry out the actual malicious stuff.
It makes it *slightly* harder, the real protection is still the fact that you have to hijack an admin's session directly anyway.
I would love someone to show me what benefit tokens actually provide. (Especially since I can imagine mod authors not using them anyway.)Advertisement: