lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <907f1b520711061131y6b6f7d36h8059da2a5a4582c1@mail.gmail.com>
Date: Tue, 6 Nov 2007 20:01:40 +0030
From: "anuj tenani" <anujtenani@...il.com>
To: "Matt D. Harris" <mdh@...itox.net>
Cc: bugtraq@...urityfocus.com
Subject: Re: SMF .htaccess bypass

Even default smf installation doesn't even use htaccess to protect admin panel


On 11/6/07, Matt D. Harris <mdh@...itox.net> wrote:
> So what you're saying is that .htaccess is working as expected.  What
> does this have to do with SMForum?  Using .htaccess to protect the admin
> section is not at all standard in SMForum, so I'm not really sure how or
> why this is relevant.  Furthermore, SMForum still has its own
> authentication mechanisms.  This doesn't seem like a bug/issue at all,
> just software working as intended, even if someone chooses to use it in
> an unusual and insecure manner.
> - mdh
>
> h3llcode@...mail.it wrote:
> > # ./start
> > #
> > # Discovered by Seph1roth on June 2007 (was priv8)
> > #
> > # Vulnerable: Simple Machine Forum [ALL Versions]
> > #
> > # Visit: http://www.blackroots.it - Best hacking site.
> > #
> > # Description:
> >
> > If smf has index.php?action=admin in .htaccess ,i can bypass that by
> typing in the url some variable of administration panel :
> >
> > example:
> >
> > index.php?action=admin (.htaccess,then access denied)
> > index.php?action=membergroups (accessible)
> > index.php?action=news (accessible)
> > index.php?action=featuresettings (accessible)
> >
> > ...and others...
> >
> > i can bypass and enter the administration by typing the accessible
> variables in the url...
> >
> > # Greets to all BlackRoots Users
> > #
> > # Shoutz to all kiddies
> > #
> > # ./end
> >
>
> --
> /*
>   * mdh - Solitox Networks (Lead Project Engineer)
>   * Facts often matter little, in the face of fervently held perceptions
>   */
>


-- 
Anuj

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ