oss-sec mailing list archives

Re: [OSVDB Mods] [New Vulnerability] File Disclosure in SimpleMachines Forum <= 2.0.3 (CVE-2013-0192) (fwd)


From: Brian Martin <brian () opensecurityfoundation org>
Date: Wed, 30 Jan 2013 13:36:30 -0600 (CST)


FYI:

Kurt has indicated that the 2009 disclosure affects 1.x, and the new affects 2.x, so they warrant separate CVEs. This is the official request for it.

Brian
OSF / OSVDB.org

---------- Forwarded message ----------
From: Brian Martin <brian () opensecurityfoundation org>
To: Carlos Alberto Lopez Perez <clopez () igalia com>
Cc: OSVDB Mods <moderators () osvdb org>, Kurt Seifried <kseifried () redhat com>
Date: Wed, 30 Jan 2013 13:27:35 -0600 (CST)
Subject: Re: [OSVDB Mods] [New Vulnerability] File Disclosure in SimpleMachines
    Forum <= 2.0.3 (CVE-2013-0192)



On Wed, 30 Jan 2013, Carlos Alberto Lopez Perez wrote:

: There is a file disclosure vulnerability in SMF (Simple Machines Forum)
: affecting versions <= 2.0.3 [1]
:
: The vulnerability has been assigned CVE-2013-0192 [2] and requires a
: valid admin backend login to be exploited, therefore has a low security
: impact score.
:
: On some configurations a SMF deployment is shared by several "co-admins"
: that are not trusted beyond the SMF deployment. This vulnerability
: allows them to read arbitrary files on the filesystem and therefore gain
: new privileges by reading the settings.php with the database passwords.

Thanks for the information Carlos.

Kurt; This was originally disclosed in 2009 (see OSVDB 86444 [1]) and
re-discovered in January 13. If you concur, do you want to see about
issuing a 2009 CVE? One was never issued for the original disclosure.

Brian
OSF / OSVDB.org

[1] http://osvdb.org/86444


Current thread: