oss-sec mailing list archives
Re: Re: [OSVDB Mods] [New Vulnerability] File Disclosure in SimpleMachines Forum <= 2.0.3 (CVE-2013-0192) (fwd)
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 01 Feb 2013 12:51:44 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/30/2013 12:36 PM, Brian Martin wrote:
FYI: Kurt has indicated that the 2009 disclosure affects 1.x, and the new affects 2.x, so they warrant separate CVEs. This is the official request for it. Brian OSF / OSVDB.org ---------- Forwarded message ---------- From: Brian Martin <brian () opensecurityfoundation org> To: Carlos Alberto Lopez Perez <clopez () igalia com> Cc: OSVDB Mods <moderators () osvdb org>, Kurt Seifried <kseifried () redhat com> Date: Wed, 30 Jan 2013 13:27:35 -0600 (CST) Subject: Re: [OSVDB Mods] [New Vulnerability] File Disclosure in SimpleMachines Forum <= 2.0.3 (CVE-2013-0192) On Wed, 30 Jan 2013, Carlos Alberto Lopez Perez wrote: : There is a file disclosure vulnerability in SMF (Simple Machines Forum) : affecting versions <= 2.0.3 [1] : : The vulnerability has been assigned CVE-2013-0192 [2] and requires a : valid admin backend login to be exploited, therefore has a low security : impact score. : : On some configurations a SMF deployment is shared by several "co-admins" : that are not trusted beyond the SMF deployment. This vulnerability : allows them to read arbitrary files on the filesystem and therefore gain : new privileges by reading the settings.php with the database passwords. Thanks for the information Carlos. Kurt; This was originally disclosed in 2009 (see OSVDB 86444 [1]) and re-discovered in January 13. If you concur, do you want to see about issuing a 2009 CVE? One was never issued for the original disclosure. Brian OSF / OSVDB.org [1] http://osvdb.org/86444
Please use CVE-2009-5068 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRDBzQAAoJEBYNRVNeJnmTDJEP/jPFMqlf8aNjQvBuGn+0lSse 4kdc+YioFEOQ+4xshH+/9FdkOjchddhh66dYzeYbUl9PVeT0wL4uqEbN1lD5myBf QimLK2pVGOBLThUTb+sqPwWioTYCQdlqjNgw3YGo7gspg8ihAFiAyY0gOVkr9vUH 1cATd1DB7pzDg7PUYquCmhFVi/CYdPiacNsr+O8txtPQDGK6jdobAqPuXf9oddZE /VBJT6xRQF9Xxuwv1ZSIjMHDFJl+XzbiUi6a+zM+gQ9TML4fBbFhEqfy48Vmoq9v Rc9N/7su80CfmZqhuc1+nIfti4aFh11kZNdMLy9aUGgs5exIQ+z1edeu+OBIAHTk mr2YFqbQnAX2osVozMkuPgd6JEO/XW3Q/+eQK4ZKIllQa7a6Z6BU/Z7XQ3n5T2ga GzIvgcfYKDWgd3HYHUiOlI2DWyUzC2PRLMlszG2eWv3tYkPesK7OZ+qlUahRWOSq GBzDQIoQwiRugT+NvPpyMZ6cXi4yvY+8WPKAKHelAP5SmEvSAMNkXyD/SLoFrqD+ 5YZR06xIsjuD4pplmeDwnhQmZwWXrfDIp1yLNqWVmuPyxsE47TZYEaf81z0Zgwxh 8KPd3t1ttGFX3mM1gQhW0vw+127Ge0QSxPSjw2NGEQI8Gc3WqiFEBE01zafbvIYf 7l9eXPFwI/vtO2520/0/ =xH4k -----END PGP SIGNATURE-----
Current thread:
- Re: [OSVDB Mods] [New Vulnerability] File Disclosure in SimpleMachines Forum <= 2.0.3 (CVE-2013-0192) (fwd) Brian Martin (Jan 30)
- Re: Re: [OSVDB Mods] [New Vulnerability] File Disclosure in SimpleMachines Forum <= 2.0.3 (CVE-2013-0192) (fwd) Kurt Seifried (Feb 01)