Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Simple Machines Forum Exploit
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Simple Machines Forum Exploit

NickMNickM Member
edited January 2013 in General

I know there's quite a few people here that use Simple Machines Forums, so I figure that the responsible thing to do would be to post this here...

(http://raz0r.name/vulnerabilities/simple-machines-forum/)[http://raz0r.name/vulnerabilities/simple-machines-forum/]

In a nutshell, if you do enough password resets on an account, you'll eventually get a reset key that evaluates to 0 or 1 due to PHP's type juggling. Unfortunately, SMF uses != instead of !== when checking the key, which means you can simply put 0 or 1 as the key in the password reset URL, and eventually get in. This, combined with an ineffective throttling on password resets (as long as you take less than 20 seconds between password resets, you can do unlimited resets!) means that you can crack an account in just a few hours.

The fix is pretty simple - in Sources/Reminder.php, find:

        // Quit if this code is not right.
        if (empty($_POST['code']) || substr($realCode, 0, 10) != substr(md5($_POST['code']), 0, 10))

and replace it with:

        // Quit if this code is not right.
        if (empty($_POST['code']) || substr($realCode, 0, 10) !== substr(md5($_POST['code']), 0, 10))

Comments

  • Well that sucks..

  • Uh oh o.o

  • Yeesh. I seriously need to pay someone to find shit like this in my code. There has to be 100s of holes like this in the stuff I've written...

  • DamianDamian Member
    edited January 2013

    If anyone wants to know why this fixes it, from http://php.net/manual/en/language.operators.comparison.php :

    If you compare a number with a string or the comparison involves numerical strings, then each string is converted to a number and the comparison performed numerically. These rules also apply to the switch statement. The type conversion does not take place when the comparison is === or !== as this involves comparing the type as well as the value.
    

    A good programming practice is to always use === and !== in comparisons for PHP. The "loose comparisons" versus the "strict comparisons" tables on http://php.net/manual/en/types.comparisons.php is a good visual on why you should always use strict comparsions

  • IntcsIntcs Member
    edited January 2013

    Thanks for sharing, and for the tips..
    I had an SMF, but v1 was slow in browsing (noticed not just my install, but also SMF forums that I've visited as a guest) even though it's of the best forums imo, when taking into account it's free. I don't know about v.2 and up which was supposed to have major updates. But indeed that's terrible imo, since SMF is widely used.

  • I wonder how many things like this can be avoided by simply not using PHP?

  • BK_BK_ Member

    @manma said: simply not using PHP

    A little harder said than done ;)

  • NickMNickM Member
    edited January 2013

    nvm

  • @manma said: I wonder how many things like this can be avoided by simply not using PHP?

    Or how many things like this can be avoided by simply not using PHP (or any other programming language for that matter) if you don't know what you're doing.

  • @manma said: I wonder how many things like this can be avoided by simply not using PHP?

    Many.

  • I've always found SMF to be very, very ugly, both in the forum theme and admin CP.

    The code always pissed me off too for some reason..

  • I'm using SMF for my clan website...
    Fixed it now, thanks :)

Sign In or Register to comment.