Home arrow Forum SMF Security Vulnerability?
  Welcome, Guest. Please login or register.
Did you miss your activation email?
January 08, 2009, 03:15:32 AM
Home New Posts Search Calendar


Login with username, password and session length
+  Joomla Forum
|-+  Joomla Hacks
| |-+  Joomla-SMF Forum Support
| | |-+  Joomla-SMF 1.1.x (Moderators: -Wolverine, kai920)
| | | |-+  SMF Security Vulnerability?		 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: SMF Security Vulnerability?  (Read 1764 times)
kellerkind
Joomla Newbie
*

Karma: +1/-1
Offline Offline

Posts: 20


View Profile
SMF Security Vulnerability?
« on: July 11, 2006, 01:57:54 AM »
Wolverine, is Joomla-SMF affected?
http://www.securityfocus.com/bid/18924/

The Bridge has the SMF.PHP too, and missing the

Code:
// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );

in:

components/com_smf/smf.php
administrator/components/com_smf/config.smf.php
administrator/components/com_smf/install.smf.php
administrator/components/com_smf/rdf.php

maybe some other too?

see also:
http://forum.joomla.org/index.php/topic,75668.0.html

I added this to this Files, without loosing some Functionality, so i think it cannot harm?
« Last Edit: July 11, 2006, 07:30:16 AM by -Wolverine » Logged
-Wolverine
Moderator
Joomla Guru
*****

Karma: +376/-34
Offline Offline

Posts: 3393


Lead Developer


View Profile WWW
Re: Vulnerability?
« Reply #1 on: July 11, 2006, 07:16:15 AM »
Looking into it, although you make a good point, those files should have the valid mos check. 

It appears that this is the mambo-smf bridge(doesn't mention if it is JHacks or Orstio's bridge).  Noone should be using that bridge at this point. 

After further investigation, although those changes will help a SQL injection on core SMF is still possible.  Everyone should take precautions with their forums at this point until SMF addresses the SQL injection issue.  I will release a small update to include those valid mos checks.
« Last Edit: July 11, 2006, 07:32:29 AM by -Wolverine » Logged
Need help?  Check Here First!
Get the JSMF User Guide
SEARCH this forum.
-Wolverine
Moderator
Joomla Guru
*****

Karma: +376/-34
Offline Offline

Posts: 3393


Lead Developer


View Profile WWW
Re: SMF Security Vulnerability?
« Reply #2 on: July 11, 2006, 03:50:14 PM »
After thorough investigation by myself and Kevin we are more than reasonably sure there is no risk to JHacks users.  Further, the example exploits shown in the report are Invision Power Board links.  I have sent an email requesting clarification of the issue and if/when I hear more I will fill everyone in.
« Last Edit: July 12, 2006, 09:30:29 AM by -Wolverine » Logged
Need help?  Check Here First!
Get the JSMF User Guide
SEARCH this forum.
kellerkind
Joomla Newbie
*

Karma: +1/-1
Offline Offline

Posts: 20


View Profile
Re: SMF Security Vulnerability?
« Reply #3 on: July 12, 2006, 12:57:50 AM »
Quote from: -Wolverine on July 11, 2006, 03:50:14 PM
[...] there is no risk to JHacks users. 
as expected  Wink thx.
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  



Login with username, password and session length

Powered by MySQL Powered by PHP Joomla Forum | Powered by SMF 1.1 RC1.
© 2001-2005, Lewis Media. All Rights Reserved.
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!

Joomla Hacks is a Joomla Components, Joomla Modules, Joomla Templates, & Joomla Mambots resource portal. None of the text or images in this public website may be copied without the expressed written consent of the authors. Copyright 2005 by JoomlaHacks.com. Powered by Joomla. All rights reserved.
Terms of Use
Joomla Hacks



Joomla Hacks
 German Lang French Lang Italian Lang Spanish Lang Japanese Lang Chinese Lang
Search Contact About Advertise Blogs Topsites Submit News Register Login