oss-sec mailing list archives
Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 08 Jan 2013 12:11:30 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/08/2013 06:36 AM, WHK Yan wrote:
The flaw is not exploitable without privileges. On some occasions there are forums where there are co-admistrators which have privileges to view the error log but not to modify code or at least read the mysql connection.
So is a trust/security boundary crossed here? Can you please confirm that the co-admistrator (or anyone) is not supposed to be able to read arbitrary files accessible to the web server, and that this attack does indeed allow that? Thanks. Removing full-disclosure () lists grok org uk from CC due to reply spam. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ7G9iAAoJEBYNRVNeJnmTPD0P/3qP0sPDl82+V1ST02WalH7q O4qhaSWUi//rY3RXMARDVfNUOeTfzBgOpS21/4qeLuLH07ko5rrwGOksuc6U8fE+ NOQz9A3sqHQyE0419WqWDuI/kIK7SucWnGw8ACU+/vckvzWjfSDRQamq6+P+SBxL Cf8zS65JY5kMTRgOPK4HMy/UyUgye9DTg49aKoUIzDndbzEX+BIvr6LqSPzh5wTE +/NbA9R20ARFGJSe/gQARTVs8d5p0/6oi9KSxcwHLfvpWEC1zNsziVpervI3doNB SXb9DoiGH/G0GGoryVP5tl2kgzuaMWgdys/ypHDZ+Jmap4DsV161+Y1pS8UcRP4f MRAKZ3Slb/1wyW7omRnA/J6EWrgyEq4Z0f14DPUhLiLMaOgIHbVEt/b/pfyRYdPE EEhbemCqzqaQMwSkN9g8XSOptwD2g2vj01Kdi58TzKvS4zZefHnmVCUmfr31fEF6 iuh4FH4baYygNlyqMMH83QtSHEB6YwRGky/bMxFZ+FGOPq0amYXBhiqV/dAkS2Ns +Tt0dpJCIBo4e6TMOmFe4obpYj4XSlRVz0SKiU4oz5XvDKUiKEM1Q4DGrLtY2+9W 1ozv7vcKFdg89Vrm/i9BfAiyLue9swXtr5LFS1PAE5HJB6yWBSERv2PPvnX4xj3i PMcisy0d8xjsEbxA4rxG =d5Kh -----END PGP SIGNATURE-----
Current thread:
- Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Carlos Alberto Lopez Perez (Jan 08)
- Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 WHK Yan (Jan 08)
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Kurt Seifried (Jan 08)
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 WHK Yan (Jan 08)
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Kurt Seifried (Jan 08)
- Message not available
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Carlos Alberto Lopez Perez (Jan 11)
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Kurt Seifried (Jan 16)
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Kurt Seifried (Jan 08)
- Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 WHK Yan (Jan 08)