oss-sec mailing list archives
Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3
From: Carlos Alberto Lopez Perez <clopez () igalia com>
Date: Fri, 11 Jan 2013 22:36:08 +0100
On 09/01/13 01:28, Kurt Seifried wrote:
I apologize but I am having a heck of a time parsing that last sentence. If you want to send it in your native language I can probably get it translated from another Red Hat employee.
I'm Spanish native speaker. Let me translate this for you. This is a free translation. I split it on several paragraphs for better readability. On 09/01/13 02:33, WHK Yan wrote:
disculpa, estaba utilizando google translator, hablo español. te explicaba que en ocaciones hay administradores que necesitan ayuda para administrar secciones de foros como en un smf, en mi caso soy parte de la comunidad de elhacker.net donde hay un solo administrador y varios coadministradores, ahora... el administrador no confia ni en su propia sombra y ha creado un grupo especial de usuarios desde el panel de grupos de usuarios llamado coadmin, este tipo de usuarios ha sido creado basado en los permisos de un administrador con la exepcion de instalar paquetes y cualquier cosa que pueda permitir tomar el control total del servidor y restringirlos unicamente a tareas del foro en si.
""" Excuse me, I was trying to use google translator. I speak spanish. I was explaining you that sometimes there are administrators that need help to administer forum sections of SMF. In my case I'm part of the elhacker.net community where there is only one administrator and several co-administrators. However, the administrator is very wary and he don't trusts anybody, so he has created an special group of users from the users panel group called coadmin. This coadmin users are created with the typical forum administrator rights, with the exception that they are not allowed to install packages or anything that could allow them to take control over the forum. """
con esta falla de seguridad un usuario como este coadministrador podria acceder al archivo de configuraciones y leer la base de datos pudiendo obtener el hash de sesion del admistrador para luego subir una shell maliciosa como una c99.php.
""" With this security flaw, one of this untrusted "coadministrators" could access to the config file of the site and could obtain the database passwords, and then he could get the session hash of the administrator from the DB. Then he could upload an evil shell like c99.php """
este esenario se repite en multiples foros donde yo visito tales como portalhacker.net y el-hacker.com entre muchos otros. por eso pienso que es una falla de seguridad importante ya que si smf esta diseñado para proteger directorios y no lo hace correctamente permitiendo la lectura de archivos de forma arbitraria es porque para nosotros no es un caso aislado o tan simple de ver, es como el tipico esenario de "un xss es impacto alto o bajo?", todo depende del esenario y en nuestros casos es algo critico. gracias por su atencion señor Kurt.
""" Scenarios like this happen on many forums that I visit like portalhacker.net or el-hacker.com, among others. I think that this security flaw is important. SMF is designed to protect directory and file access, and if it don't works as expected and allows reading any file then the security implications are high. I think this is like the typical question of "Is an XSS of high or low impact?". All depends of the scenario and use case, and in our personal use cases this is something critical. Thanks for your attention Mr. Kurt """ Best regards! -------------
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Carlos Alberto Lopez Perez (Jan 08)
- Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 WHK Yan (Jan 08)
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Kurt Seifried (Jan 08)
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 WHK Yan (Jan 08)
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Kurt Seifried (Jan 08)
- Message not available
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Carlos Alberto Lopez Perez (Jan 11)
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Kurt Seifried (Jan 16)
- Re: Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 Kurt Seifried (Jan 08)
- Re: [Full-disclosure] File Disclosure in SimpleMachines Forum <= 2.0.3 WHK Yan (Jan 08)