Re: Re: [OSVDB Mods] [New Vulnerability] File Disclosure in SimpleMachines Forum <= 2.0.3 (CVE-2013-0192) (fwd)

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/30/2013 12:36 PM, Brian Martin wrote:
> FYI:
>
> Kurt has indicated that the 2009 disclosure affects 1.x, and the
> new affects 2.x, so they warrant separate CVEs. This is the
> official request for it.
>
> Brian OSF / OSVDB.org
>
> ---------- Forwarded message ---------- From: Brian Martin
> <brian () opensecurityfoundation org> To: Carlos Alberto Lopez Perez
> <clopez () igalia com> Cc: OSVDB Mods <moderators () osvdb org>, Kurt
> Seifried <kseifried () redhat com> Date: Wed, 30 Jan 2013 13:27:35
> -0600 (CST) Subject: Re: [OSVDB Mods] [New Vulnerability] File
> Disclosure in SimpleMachines Forum <= 2.0.3 (CVE-2013-0192)
>
>
>
> On Wed, 30 Jan 2013, Carlos Alberto Lopez Perez wrote:
>
> : There is a file disclosure vulnerability in SMF (Simple Machines
> Forum) : affecting versions <= 2.0.3 [1] : : The vulnerability has
> been assigned CVE-2013-0192 [2] and requires a : valid admin
> backend login to be exploited, therefore has a low security :
> impact score. : : On some configurations a SMF deployment is shared
> by several "co-admins" : that are not trusted beyond the SMF
> deployment. This vulnerability : allows them to read arbitrary
> files on the filesystem and therefore gain : new privileges by
> reading the settings.php with the database passwords.
>
> Thanks for the information Carlos.
>
> Kurt; This was originally disclosed in 2009 (see OSVDB 86444 [1])
> and re-discovered in January 13. If you concur, do you want to see
> about issuing a 2009 CVE? One was never issued for the original
> disclosure.
>
> Brian OSF / OSVDB.org
>
> [1] http://osvdb.org/86444

Please use CVE-2009-5068 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRDBzQAAoJEBYNRVNeJnmTDJEP/jPFMqlf8aNjQvBuGn+0lSse
4kdc+YioFEOQ+4xshH+/9FdkOjchddhh66dYzeYbUl9PVeT0wL4uqEbN1lD5myBf
QimLK2pVGOBLThUTb+sqPwWioTYCQdlqjNgw3YGo7gspg8ihAFiAyY0gOVkr9vUH
1cATd1DB7pzDg7PUYquCmhFVi/CYdPiacNsr+O8txtPQDGK6jdobAqPuXf9oddZE
/VBJT6xRQF9Xxuwv1ZSIjMHDFJl+XzbiUi6a+zM+gQ9TML4fBbFhEqfy48Vmoq9v
Rc9N/7su80CfmZqhuc1+nIfti4aFh11kZNdMLy9aUGgs5exIQ+z1edeu+OBIAHTk
mr2YFqbQnAX2osVozMkuPgd6JEO/XW3Q/+eQK4ZKIllQa7a6Z6BU/Z7XQ3n5T2ga
GzIvgcfYKDWgd3HYHUiOlI2DWyUzC2PRLMlszG2eWv3tYkPesK7OZ+qlUahRWOSq
GBzDQIoQwiRugT+NvPpyMZ6cXi4yvY+8WPKAKHelAP5SmEvSAMNkXyD/SLoFrqD+
5YZR06xIsjuD4pplmeDwnhQmZwWXrfDIp1yLNqWVmuPyxsE47TZYEaf81z0Zgwxh
8KPd3t1ttGFX3mM1gQhW0vw+127Ge0QSxPSjw2NGEQI8Gc3WqiFEBE01zafbvIYf
7l9eXPFwI/vtO2520/0/
=xH4k
-----END PGP SIGNATURE-----