SMF Password Reset Vuln

General Discussions
#1

I was browsing the one other forum I am a part of and ran into this topic, which I thought you guys might find interesting. One of our members discovered a very basic vulnerability with SMF which allows pretty much anyone with half a brain to reset anyone else’s password, so long as they have their user ID. Apparently the password reset code is a hash which is always 10 chars long (yes I tested on JGO too) which translates into 1,099,511,627,776 possible reset URLs. That’s actually relatively small compared to if the system produced reset codes of varying lengths. I’m sure it would be very simple to write a script to try them all. Kinda scary to me.

Here’s a link to the original post on EZ: https://evilzone.org/hacking-and-security/taking-over-your-evilzone-account-the-easy-way/msg92363/?topicseen#msg92363

Hopefully one of JGO’s admins can disable the password resetting for now until either you guys or SMF’s devs fix it. This can’t be the first time it’s come up.

#2

Should be taken care of by some simple IP blocking. After the first million attempts, I’m sure someone will know an attack is happening :slight_smile:

Or just build in a five second wait before responding to any password reset attempt.

#3

It might be easy to come up with a script to try them all, but even if you manage to make 1000 requests/second (one each 1ms, which won’t happen), it will take you ~35 years to try them all.

#4

I really think Riven would notice after the first few weeks… :slight_smile:

#5

And wouldn’t that only get you into one account?

CopyableCougar4

#6

SMF is a collection of vulnerabilities disguised as a forum.

This particular attack is impractical over a network. It’s not worth even looking at.

This is only usable when somebody got their hands on a database dump. In that case resetting passwords is the least of my concerns.

#7

Indeed, they would discover the weak and vulnerable contents of the vault, and then we’d have a containment situation on our hands that makes Ebola look like a minor case of the sniffles going round.

Cas :slight_smile:

#8

The 2nd Tuesday of November is coming up again, so… watch that logo kids.

#9

Time to put that on my calendar :point:

#10

I’m going to go ahead and ask:

What’s special about the 2nd Tuesday of November?