1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Remote Execution Exploit -SMF (very serious)

Discussion in 'Forum Management' started by RectangleMan, Nov 6, 2008.

  1. #1
    http://www.milw0rm.com/exploits/6993

    At the SMF forums seems like they tried to brush this under the rug too.

    http://www.simplemachines.org/community/index.php?topic=272393.0

    SMF owners be aware your forums are subject to be demolished pretty damn quick as this gets around.

    And it looks like a patch is a few days away.

    So make backups quick just in case.

    This is so unfortunate since SMF is really known for it's excellent security.
     
    RectangleMan, Nov 6, 2008 IP
  2. pripatel93

    pripatel93 Peon

    Messages:
    276
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    0
    #2
    see, to whoever said that SMF never gets any exploits they are wrong....

    just shows that all all forum software get exploits, just depends on how long the admins take to fix it. and for SMF it is over 72 hours? MYBB updates for exploits faster than SMF :p
     
    pripatel93, Nov 6, 2008 IP
  3. RectangleMan

    RectangleMan Notable Member

    Messages:
    2,825
    Likes Received:
    132
    Best Answers:
    0
    Trophy Points:
    210
    #3
    We already have a VS thread. This should be about the exploit and it's potential for harm to SMF sites.
     
    RectangleMan, Nov 6, 2008 IP
  4. shadow82x

    shadow82x Active Member

    Messages:
    186
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    55
    #4
    I don't think anyone would ever say any software on the internet is 100% secure and will always be. People can say systems are more secure than others do - and thats the point I believe that was made by another member.

    It has not even been 48 hours yet and I believe it took myBB to even acknowledge a security threat a few weeks. But I'm just adding fuel to the fire and dont know why your comparing SMF to myBB.

    Anyhow as far as I know the devs are working really hard to fix this and preventing it so nothing like it comes back in the future. SMF1.1.7 should be packaged soon and released. Anyone using 1.1.6 should apply the code edit in the post and make backups.
     
    shadow82x, Nov 6, 2008 IP
  5. RectangleMan

    RectangleMan Notable Member

    Messages:
    2,825
    Likes Received:
    132
    Best Answers:
    0
    Trophy Points:
    210
    #5
    Mybb had fix for it within hours of publication. I have never know mybb to dismiss something posted at milw0rm.

    So all you SMF users just hold tight..you have a moderate to severe exploit and that means you have to wait even longer for a fix. SMF is working really hard to make sure your secure in the meantime you are totally vulnerable and everyone knows it.
     
    RectangleMan, Nov 6, 2008 IP
  6. pripatel93

    pripatel93 Peon

    Messages:
    276
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    0
    #6
    on one of the hack forums that the milworm link was posted on one of the members hacked into a SMF forum with 200k users... i bet the admin regret using SMF now lol
     
    pripatel93, Nov 7, 2008 IP
  7. nitins60

    nitins60 Peon

    Messages:
    246
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #7
    it only works if you have enabled attachments system...
     
    nitins60, Nov 7, 2008 IP
  8. RectangleMan

    RectangleMan Notable Member

    Messages:
    2,825
    Likes Received:
    132
    Best Answers:
    0
    Trophy Points:
    210
    #8
    Yeah you would think they would be smart enough to post an advisory and tell admins with concerns to temporarily disabled attachments...
     
    RectangleMan, Nov 7, 2008 IP
  9. shadow82x

    shadow82x Active Member

    Messages:
    186
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    55
    #9
    Hate to say it but myBB was warned several weeks before hand via there report system. They posted this on the web without notifcation. The myBB had several weeks to complete the security issue and I'm sure the myBB devs would not be able to patch up fast as the SMF team is.

    Considering the myBB development team is all kids. :/
     
    shadow82x, Nov 7, 2008 IP
  10. sawz

    sawz Prominent Member

    Messages:
    8,225
    Likes Received:
    808
    Best Answers:
    0
    Trophy Points:
    360
    #10
    i just noticed 1.1.7 is out, get it.
     
    sawz, Nov 7, 2008 IP
  11. Ryan Gordon

    Ryan Gordon Peon

    Messages:
    12
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #11
    I find it interesting you have to revert to false accusations, especially when they are those kind of low-level discriminating accusations as stated in your last sentence.

    Please read this...

    Read the full post: http://www.theadminzone.com/forums/showpost.php?p=385730&postcount=102


    I personally have pushed out security releases in under a few hours. That's not to say some releases don't take longer to push out then others (i.e. maintenance and security releases)

    Ryan
     
    Ryan Gordon, Nov 7, 2008 IP
  12. shadow82x

    shadow82x Active Member

    Messages:
    186
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    55
    #12
    Not trying to offend you or the myBB team but I got the information that the ages of the devs are really young. I guess you can say my comment was unnecessary.

    Than someone has the information wrong. The phpbb developers should update there vulnerability page???

    My point was the myBB crew was alerted before the vulnerability was posted and had time to fix it before it went public.

    Regards
     
    shadow82x, Nov 8, 2008 IP
  13. pripatel93

    pripatel93 Peon

    Messages:
    276
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    0
    #13
    OK? you point being? it wasnt like they were notifed many days before it the exploit posted. but SMF took longer than Mybb did to fix the problem... FACT.

    So what if the ages of the Devs are young anyway? what does that have to do with anything?
     
    pripatel93, Nov 8, 2008 IP
  14. shadow82x

    shadow82x Active Member

    Messages:
    186
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    55
    #14
    Yes they were notified MANY days on taz and way before it. The phpbb developers even stated that they would post an advisory in a few weeks if it was not handled. So the myBB had quite some time to prepare a release. I know you wouldn't know as your not a developer.


    Skill comes with age along with experience my friend.
     
    shadow82x, Nov 8, 2008 IP
  15. JackHeskett

    JackHeskett Peon

    Messages:
    44
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #15
    SMF is worth waiting for, at least they are doing it. I'd choose SMF over MyBB anyday.
     
    JackHeskett, Nov 8, 2008 IP
  16. joebert

    joebert Well-Known Member

    Messages:
    2,150
    Likes Received:
    88
    Best Answers:
    0
    Trophy Points:
    145
    #16
    Man talk about a sneaky exploit.

    Looking at the code, it seems like adding a "salt" to attachment filenames would solve a big portion of this problem.
     
    joebert, Nov 9, 2008 IP
  17. Aldo

    Aldo Peon

    Messages:
    99
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #17
    Hey, people, stop fighting :p

    You do know this is a one time thing? Just because it took SMF a couple days to fix it and release it doesn't mean it is always like that. The reason it probably took so long for this to be fixed was probably either:
    1) Figuring out how to fix it without screwing other stuffs up
    2) It was a hard fix, in other words, this was a very hard exploit to fix, which means it was somewhere deep in the code
    Plus, SMF doesn't give full on details saying how you could replicate the exploit, which keeps people who have not upgraded safer for the time being before they actually upgrade.

    Either way, updating is a snap with SMF's cool Package Manager, you don't even have to login to FTP or a file manager of any kind, just go to:
    Admin > Package Manager > You should then see a red bex, click "update your forum", it will download the package, hit install, and your done ;)
     
    Aldo, Nov 9, 2008 IP
  18. joebert

    joebert Well-Known Member

    Messages:
    2,150
    Likes Received:
    88
    Best Answers:
    0
    Trophy Points:
    145
    #18
    Or makes it harder for people who could provide a temporary patch until an official patch is released, depending on how you look at it.
     
    joebert, Nov 9, 2008 IP
  19. Aldo

    Aldo Peon

    Messages:
    99
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #19
    But not everyone would be capable of patching it. I think less people would be capable (or want to) of patching such a thing, so I think its smart not to reveal such details before a patch is released.
     
    Aldo, Nov 9, 2008 IP
  20. Ryan Gordon

    Ryan Gordon Peon

    Messages:
    12
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #20
    Like I said before (and it seems to be being ignored) read the full post here: http://www.theadminzone.com/forums/showpost.php?p=385730&postcount=102 - There was no such conversation where they said they would post the advisory "in a few weeks" if it was not handled.

    I'm not saying both parties involved couldn't have handled it better, because we could have. However the timing was extremely bad and we weren't ever told about issue #2 in the security advisory until it was already posted for several hours on the web.

    Or is it the other way around?
     
    Ryan Gordon, Nov 12, 2008 IP