Simple Machines Forum Exploit
I know there's quite a few people here that use Simple Machines Forums, so I figure that the responsible thing to do would be to post this here...
In a nutshell, if you do enough password resets on an account, you'll eventually get a reset key that evaluates to 0 or 1 due to PHP's type juggling. Unfortunately, SMF uses != instead of !== when checking the key, which means you can simply put 0 or 1 as the key in the password reset URL, and eventually get in. This, combined with an ineffective throttling on password resets (as long as you take less than 20 seconds between password resets, you can do unlimited resets!) means that you can crack an account in just a few hours.
The fix is pretty simple - in Sources/Reminder.php, find:
// Quit if this code is not right. if (empty($_POST['code']) || substr($realCode, 0, 10) != substr(md5($_POST['code']), 0, 10))
and replace it with:
// Quit if this code is not right. if (empty($_POST['code']) || substr($realCode, 0, 10) !== substr(md5($_POST['code']), 0, 10))
Well that sucks..
Uh oh o.o
Yeesh. I seriously need to pay someone to find shit like this in my code. There has to be 100s of holes like this in the stuff I've written...
If anyone wants to know why this fixes it, from http://php.net/manual/en/language.operators.comparison.php :
A good programming practice is to always use === and !== in comparisons for PHP. The "loose comparisons" versus the "strict comparisons" tables on http://php.net/manual/en/types.comparisons.php is a good visual on why you should always use strict comparsions
Thanks for sharing, and for the tips..
I had an SMF, but v1 was slow in browsing (noticed not just my install, but also SMF forums that I've visited as a guest) even though it's of the best forums imo, when taking into account it's free. I don't know about v.2 and up which was supposed to have major updates. But indeed that's terrible imo, since SMF is widely used.
I wonder how many things like this can be avoided by simply not using PHP?
A little harder said than done
Or how many things like this can be avoided by simply not using PHP (or any other programming language for that matter) if you don't know what you're doing.
I've always found SMF to be very, very ugly, both in the forum theme and admin CP.
The code always pissed me off too for some reason..
I'm using SMF for my clan website...
Fixed it now, thanks