Vulnerabilities > CVE-2008-6971 - Credentials Management vulnerability in Simplemachines SMF

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
simplemachines
CWE-255
nessus
exploit available
NVD
Published: 2009-08-13
Updated: 2017-09-29

Summary

The password reset functionality in Simple Machines Forum (SMF) 1.0.x before 1.0.14, 1.1.x before 1.1.6, and 2.0 before 2.0 beta 4 includes clues about the random number generator state within a hidden form field and generates predictable validation codes, which allows remote attackers to modify passwords of other users and gain privileges.

Vulnerable Configurations

Part Description Count
Application
Simplemachines
7

Common Weakness Enumeration (CWE)

Exploit-Db

  • descriptionSimple Machines Forum 1.1.5 Password Reset Security Bypass Vulnerability. CVE-2008-6971. Webapps exploit for php platform
    idEDB-ID:32717
    last seen2016-02-03
    modified2009-01-12
    published2009-01-12
    reporterXianur0
    sourcehttps://www.exploit-db.com/download/32717/
    titleSimple Machines Forum <= 1.1.5 Password Reset Security Bypass Vulnerability
  • descriptionSimple Machines Forum <= 1.1.5 Admin Reset Password Exploit (win32). CVE-2008-6971. Webapps exploit for php platform
    fileexploits/php/webapps/6392.php
    idEDB-ID:6392
    last seen2016-01-31
    modified2008-09-06
    platformphp
    port
    published2008-09-06
    reporterRaz0r
    sourcehttps://www.exploit-db.com/download/6392/
    titleSimple Machines Forum <= 1.1.5 Admin Reset Password Exploit Win32
    typewebapps

Nessus

NASL familyCGI abuses
NASL idSMF_PASSWORD_RESET.NASL
descriptionThe remote host is running Simple Machines Forum (SMF), an open source web forum application written in PHP. The version of Simple Machines Forum installed on the remote host generates validation codes for its password reset functionality with
last seen2020-06-01
modified2020-06-02
plugin id34209
published2008-09-15
reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/34209
titleSimple Machines Forum Validation Code Prediction Arbitrary Password Reset
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(34209);
  script_version("1.17");
  script_cvs_date("Date: 2018/07/30 15:31:31");

  script_cve_id("CVE-2008-6971");
  script_bugtraq_id(31053);
  script_xref(name:"EDB-ID", value:"6392");
  script_xref(name:"Secunia", value:"31750");

  script_name(english:"Simple Machines Forum Validation Code Prediction Arbitrary Password Reset");
  script_summary(english:"Tries to recover value of rand()");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by a
password reset vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Simple Machines Forum (SMF), an open source
web forum application written in PHP.

The version of Simple Machines Forum installed on the remote host
generates validation codes for its password reset functionality with
'rand()', which on Windows platforms has a maximum value of 32767
currently and is used as the seed for the next random number.  An
unauthenticated, remote attacker can leverage this issue to predict
random numbers generated by 'rand()' and thus the validation codes for
the password reset form, which could in turn enable him to reset the
password for arbitrary users of the affected application, such as the
administrator." );
 script_set_attribute(attribute:"see_also", value:"http://www.simplemachines.org/community/index.php?topic=260145.0");
 script_set_attribute(attribute:"solution", value:"Upgrade to SMF 1.1.6 / 2.0 beta 4 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(255);

 script_set_attribute(attribute:"plugin_publication_date", value:"2008/09/15");

script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:simplemachines:smf");
script_end_attributes();


  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");

  script_dependencies("smf_detect.nasl", "os_fingerprint.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");


# Unless we're paranoid, don't bother if we know the OS and it's not Windows.
if (report_paranoia < 2)
{
  os = get_kb_item("Host/OS");
  if (os && "Windows" >!< os) exit(0);
}

port = get_http_port(default:80);

install = get_install_from_kb(appname:'simple_machines_forum', port:port, exit_on_fail:TRUE);

init_cookiejar();
# Call up the password reset form.
url = install['dir'] + '/index.php?' + 'action=reminder';

r = http_send_recv3(method: "GET", item:url, port:port, exit_on_fail:TRUE);

# Pull out the session cookie and the 'sc' parameter value.
if ('type="hidden" name="sc" value="' >< r[2])
{
  cookie = "";
  sc = "";

  cookie = get_http_cookie(name: "PHPSESSID");
  pat = 'hidden" name="sc" value="([0-9a-fA-F]{32})" />';
  matches = egrep(pattern:pat, string: r[2]);
  if (matches)
  {
    foreach match (split(matches))
    {
      match = chomp(match);
      item = eregmatch(pattern:pat, string:match);
      if (!isnull(item))
      {
        sc = item[1];
        break;
      }
    }
  }

  # Check if we can generate the sc parameter value.
  if (cookie && sc)
  {
    for (i=0; i<=32767; i++)
    {
      if (hexstr(MD5(string(cookie, i))) == sc)
      {
        security_hole(port);
        if (!thorough_tests) exit(0);
      }
    }
  }
  else if (!cookie)
  {
    debug_print("couldn't find the session cookie!");
  }
  else if (!sc)
  {
    debug_print("couldn't find the hidden 'sc' parameter value!");
  }
}

References