Navigation

Search

Recent security issue reported

Posted by emanuele on May 16, 2013, 02:42:51 PM

Recently an "exploit" has been reported, for example:
http://exploitsdownload.com/search/smf%202.0.4%20exploit/
http://packetstormsecurity.com/files/121391/SMF-2.0.4-PHP-Code-Injection.html

The core of the issue is in this comment:
Code: [Select]
// to successfully exploit smf 2.0.4 we need correct admin's cookie:Is it something annoying? Yes.
Is it a security issue? No.

It is no more dangerous than any other piece of the admin panel that allows admins to change any (writable) file on the server.

If a security issue that will need a release will be discovered, then it may be worth fix this unintended behaviour, otherwise a fix will be provided in the next version of SMF.

Comments

Arantor on May 16, 2013, 02:45:13 PM said
Thanks for the official heads-up ;)
Chalky on May 16, 2013, 02:57:35 PM said
Thanks Emanuele  :)
4Kstore on May 16, 2013, 03:51:28 PM said
Glad to know it, thanks ema!
kat on May 16, 2013, 04:00:42 PM said
Nicely put, Manny. :)
emanuele on May 16, 2013, 06:52:52 PM said
Thanks for the official heads-up ;)
I waited to see if someone else wanted to have his nick on a topic here but since everybody here around are shy I had to... :P
Antes on May 17, 2013, 02:16:36 PM said
Thanks for the info :)

quick question: its not possible in 2.1 because of tokens right?
emanuele on May 17, 2013, 02:17:48 PM said
Tokens have nothing to do with that.
In 2.1 is still the same and should be fixed.
Arantor on May 17, 2013, 02:20:11 PM said
I'm going to go out on a limb here and say: the tokens make precisely zero difference.

In fact, as I said elsewhere, I'm really not convinced tokens make any real difference at all.

OK, so the token prevents drive-by POSTs like this, sure. But all a hacker has to do is make two requests, not one, the first request to open the page in question (which gets them the token) and then submit that token straight back to carry out the actual malicious stuff.

It makes it *slightly* harder, the real protection is still the fact that you have to hijack an admin's session directly anyway.

I would love someone to show me what benefit tokens actually provide. (Especially since I can imagine mod authors not using them anyway.)