oss-sec mailing list archives
Re: [OSVDB Mods] [New Vulnerability] File Disclosure in SimpleMachines Forum <= 2.0.3 (CVE-2013-0192) (fwd)
From: Brian Martin <brian () opensecurityfoundation org>
Date: Wed, 30 Jan 2013 13:36:30 -0600 (CST)
FYI:Kurt has indicated that the 2009 disclosure affects 1.x, and the new affects 2.x, so they warrant separate CVEs. This is the official request for it.
Brian OSF / OSVDB.org ---------- Forwarded message ---------- From: Brian Martin <brian () opensecurityfoundation org> To: Carlos Alberto Lopez Perez <clopez () igalia com> Cc: OSVDB Mods <moderators () osvdb org>, Kurt Seifried <kseifried () redhat com> Date: Wed, 30 Jan 2013 13:27:35 -0600 (CST) Subject: Re: [OSVDB Mods] [New Vulnerability] File Disclosure in SimpleMachines Forum <= 2.0.3 (CVE-2013-0192) On Wed, 30 Jan 2013, Carlos Alberto Lopez Perez wrote: : There is a file disclosure vulnerability in SMF (Simple Machines Forum) : affecting versions <= 2.0.3 [1] : : The vulnerability has been assigned CVE-2013-0192 [2] and requires a : valid admin backend login to be exploited, therefore has a low security : impact score. : : On some configurations a SMF deployment is shared by several "co-admins" : that are not trusted beyond the SMF deployment. This vulnerability : allows them to read arbitrary files on the filesystem and therefore gain : new privileges by reading the settings.php with the database passwords. Thanks for the information Carlos. Kurt; This was originally disclosed in 2009 (see OSVDB 86444 [1]) and re-discovered in January 13. If you concur, do you want to see about issuing a 2009 CVE? One was never issued for the original disclosure. Brian OSF / OSVDB.org [1] http://osvdb.org/86444
Current thread:
- Re: [OSVDB Mods] [New Vulnerability] File Disclosure in SimpleMachines Forum <= 2.0.3 (CVE-2013-0192) (fwd) Brian Martin (Jan 30)