|
|
 |
| New User, Welcome! Login |
Re: SMF .htaccess bypass
| From: |
"anuj tenani" <anujtenani gmail com> |
| To: |
"Matt D Harris" <mdh solitox net> |
| Cc: |
bugtraq securityfocus com |
| Subject: |
Re: SMF .htaccess bypass |
| Date: |
Tue - Nov 06, 2007 11:40 AM |
Even default smf installation doesn't even use htaccess to protect admin panel
On 11/6/07, Matt D. Harris <mdh@solitox.net> wrote:
> So what you're saying is that .htaccess is working as expected. What
> does this have to do with SMForum? Using .htaccess to protect the admin
> section is not at all standard in SMForum, so I'm not really sure how or
> why this is relevant. Furthermore, SMForum still has its own
> authentication mechanisms. This doesn't seem like a bug/issue at all,
> just software working as intended, even if someone chooses to use it in
> an unusual and insecure manner.
> - mdh
>
> h3llcode@hotmail.it wrote:
> > # ./start
> > #
> > # Discovered by Seph1roth on June 2007 (was priv8)
> > #
> > # Vulnerable: Simple Machine Forum [ALL Versions]
> > #
> > # Visit: http://www.blackroots.it - Best hacking site.
> > #
> > # Description:
> >
> > If smf has index.php?action=admin in .htaccess ,i can bypass that by
> typing in the url some variable of administration panel :
> >
> > example:
> >
> > index.php?action=admin (.htaccess,then access denied)
> > index.php?action=membergroups (accessible)
> > index.php?action=news (accessible)
> > index.php?action=featuresettings (accessible)
> >
> > ...and others...
> >
> > i can bypass and enter the administration by typing the accessible
> variables in the url...
> >
> > # Greets to all BlackRoots Users
> > #
> > # Shoutz to all kiddies
> > #
> > # ./end
> >
>
> --
> /*
> * mdh - Solitox Networks (Lead Project Engineer)
> * Facts often matter little, in the face of fervently held perceptions
> */
>
--
Anuj
|
|
|
Copyright © 1995-2012 LinuxRocket.net. All rights reserved.
Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!
