full Disclusore in SimpleMachines Forum <= 2.0.3

Started by yan.uniko.102, January 07, 2013, 08:08:28 AM

Previous topic - Next topic

yan.uniko.102

*Summary:*
--------------
A security flaw allows an attacker to know the full path of the web system.

*Details:
-----------
SSI.php Line 294:
// Fetch a post with a particular ID. By default will only show if you have
permission to the see the board in question - this can be overriden.
function ssi_fetchPosts($post_ids, $override_permissions = false,
$output_method = 'echo')
{

$post_id is not defined. Possible fix: ($post_id = '')


*PoC:
-------
http://example.com/forumpath/SSI.php?ssi_function=fetchPosts [nofollow]

*Google Dorks:
---------------------
inurl:?index.php?action=help

*Demos:
-----------
http://simpleportal.net/SSI.php?ssi_function=fetchPosts [nofollow]
http://www.furgovw.org/SSI.php?ssi_function=fetchPosts [nofollow]
http://www.teachmideast.com/forum_old/SSI.php?ssi_function=fetchPosts [nofollow]
http://www.slowracing.com/jaxfox/SSI.php?ssi_function=fetchPosts [nofollow]
http://www.iptv2you.com/board/SSI.php?ssi_function=fetchPosts [nofollow]
http://voceteopr.com/SSI.php?ssi_function=fetchPosts [nofollow]
http://www.thesilverball.com/SSI.php?ssi_function=fetchPosts [nofollow]
http://othforums.com/SSI.php?ssi_function=fetchPosts [nofollow]
http://www.skinmod.eu/SSI.php?ssi_function=fetchPosts [nofollow]


Temporal Solution:
---------------------

SSI.php line 45:
$ssi_error_reporting = error_reporting(defined('E_STRICT') ? E_ALL | E_STRICT : E_ALL);

Replace:
$ssi_error_reporting = error_reporting(0);


Functions afected:
-----------------------

. fetchMember
. fetchPosts
. fetchGroupMembers
. queryMembers

Source:
--------
http://whk.drawcoders.net/index.php/topic,2792.0.html [nofollow]

Mirrors:
-------------------------
http://seclists.org/fulldisclosure/2013/Jan/14 [nofollow]
http://packetstormsecurity.com/files/119240/smf-disclose.txt [nofollow]
http://cxsecurity.com/issue/WLB-2013010025 [nofollow]
https://foro.elhacker.net/nivel_web/path_disclusore_en_simplemachines_forum_203-t379876.0.html [nofollow]

Arantor

It's not just fetchPosts that will cause this, actually. fetchMember, fetchGroupMembers, queryMembers are all vulnerable to this same bug.

If it wasn't for the fact that voting via SSI requires the query-via-HTTP function, I'd suggest disabling that entirely.

vbgamer45

Confirmed the second one allows reading any file. Seems to only return the first part of the file seems to be a limit of how much data it will take form the file. 20 lines but you can read other parts of the file using the line number if passed.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

yan.uniko.102


Nolt

Hello,

I just checked and is strange, but on one server I couldn't read paths, but on other server where I have few SMF boards they was affected to this.
It could be possible that this hack depends from server configuration? (php.ini, my.ini etc.)

Arantor

Think you'll find a lot of this depends on having admin rights.

Not that there isn't an issue - because there is - but since it's not just open to everyone and everything, it's not the issue it might be.

HauntIT

Quote from: Nolt on January 10, 2013, 05:05:50 PM
Hello,

I just checked and is strange, but on one server I couldn't read paths, but on other server where I have few SMF boards they was affected to this.
It could be possible that this hack depends from server configuration? (php.ini, my.ini etc.)

Hi SMF Forum ;)

This is my first post here, anyway:
Nolt: yes, this could depends of php.ini settings. Check if you have enable parameters like: register_globals, display_errors, and html_errors, etc and disable them. Then your errors should not be presented anymore. ('For debug' you can set +w to some file at your server and then send your logs there, but be carefull here too, because somewhere in your webapp-code could be LFI bug, and there you will be owned. ;) )

Best regards,
Jakub

emanuele



Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Advertisement: