http://www.milw0rm.com/exploits/6993 At the SMF forums seems like they tried to brush this under the rug too. http://www.simplemachines.org/community/index.php?topic=272393.0 SMF owners be aware your forums are subject to be demolished pretty damn quick as this gets around. And it looks like a patch is a few days away. So make backups quick just in case. This is so unfortunate since SMF is really known for it's excellent security.
see, to whoever said that SMF never gets any exploits they are wrong.... just shows that all all forum software get exploits, just depends on how long the admins take to fix it. and for SMF it is over 72 hours? MYBB updates for exploits faster than SMF
We already have a VS thread. This should be about the exploit and it's potential for harm to SMF sites.
I don't think anyone would ever say any software on the internet is 100% secure and will always be. People can say systems are more secure than others do - and thats the point I believe that was made by another member. It has not even been 48 hours yet and I believe it took myBB to even acknowledge a security threat a few weeks. But I'm just adding fuel to the fire and dont know why your comparing SMF to myBB. Anyhow as far as I know the devs are working really hard to fix this and preventing it so nothing like it comes back in the future. SMF1.1.7 should be packaged soon and released. Anyone using 1.1.6 should apply the code edit in the post and make backups.
Mybb had fix for it within hours of publication. I have never know mybb to dismiss something posted at milw0rm. So all you SMF users just hold tight..you have a moderate to severe exploit and that means you have to wait even longer for a fix. SMF is working really hard to make sure your secure in the meantime you are totally vulnerable and everyone knows it.
on one of the hack forums that the milworm link was posted on one of the members hacked into a SMF forum with 200k users... i bet the admin regret using SMF now lol
Yeah you would think they would be smart enough to post an advisory and tell admins with concerns to temporarily disabled attachments...
Hate to say it but myBB was warned several weeks before hand via there report system. They posted this on the web without notifcation. The myBB had several weeks to complete the security issue and I'm sure the myBB devs would not be able to patch up fast as the SMF team is. Considering the myBB development team is all kids. :/
I find it interesting you have to revert to false accusations, especially when they are those kind of low-level discriminating accusations as stated in your last sentence. Please read this... Read the full post: http://www.theadminzone.com/forums/showpost.php?p=385730&postcount=102 I personally have pushed out security releases in under a few hours. That's not to say some releases don't take longer to push out then others (i.e. maintenance and security releases) Ryan
Not trying to offend you or the myBB team but I got the information that the ages of the devs are really young. I guess you can say my comment was unnecessary. Than someone has the information wrong. The phpbb developers should update there vulnerability page??? My point was the myBB crew was alerted before the vulnerability was posted and had time to fix it before it went public. Regards
OK? you point being? it wasnt like they were notifed many days before it the exploit posted. but SMF took longer than Mybb did to fix the problem... FACT. So what if the ages of the Devs are young anyway? what does that have to do with anything?
Yes they were notified MANY days on taz and way before it. The phpbb developers even stated that they would post an advisory in a few weeks if it was not handled. So the myBB had quite some time to prepare a release. I know you wouldn't know as your not a developer. Skill comes with age along with experience my friend.
Man talk about a sneaky exploit. Looking at the code, it seems like adding a "salt" to attachment filenames would solve a big portion of this problem.
Hey, people, stop fighting You do know this is a one time thing? Just because it took SMF a couple days to fix it and release it doesn't mean it is always like that. The reason it probably took so long for this to be fixed was probably either: 1) Figuring out how to fix it without screwing other stuffs up 2) It was a hard fix, in other words, this was a very hard exploit to fix, which means it was somewhere deep in the code Plus, SMF doesn't give full on details saying how you could replicate the exploit, which keeps people who have not upgraded safer for the time being before they actually upgrade. Either way, updating is a snap with SMF's cool Package Manager, you don't even have to login to FTP or a file manager of any kind, just go to: Admin > Package Manager > You should then see a red bex, click "update your forum", it will download the package, hit install, and your done
Or makes it harder for people who could provide a temporary patch until an official patch is released, depending on how you look at it.
But not everyone would be capable of patching it. I think less people would be capable (or want to) of patching such a thing, so I think its smart not to reveal such details before a patch is released.
Like I said before (and it seems to be being ignored) read the full post here: http://www.theadminzone.com/forums/showpost.php?p=385730&postcount=102 - There was no such conversation where they said they would post the advisory "in a few weeks" if it was not handled. I'm not saying both parties involved couldn't have handled it better, because we could have. However the timing was extremely bad and we weren't ever told about issue #2 in the security advisory until it was already posted for several hours on the web. Or is it the other way around?