Secunia Security Advisory - Some vulnerabilities have been discovered in Simple Machines Forum, which can be exploited by malicious users and malicious people to conduct cross-site request forgery attacks.
1069d724ad96ed921afcc3608dd7b3adc513fe4f24d4b6bf9e2cf4b642bc692a
----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Simple Machines Forum Cross-Site Request Forgery
SECUNIA ADVISORY ID:
SA37557
VERIFY ADVISORY:
http://secunia.com/advisories/37557/
DESCRIPTION:
Some vulnerabilities have been discovered in Simple Machines Forum,
which can be exploited by malicious users and malicious people to
conduct cross-site request forgery attacks.
The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the
request. This can be exploited to e.g. perform certain administrative
actions when a logged-in user visits a malicious site.
Successful exploitation allows e.g. to delete package servers,
conduct script insertion attacks via censor lists and package
manager, and execute arbitrary PHP code by uploading arbitrary
modules, but requires a valid user account.
The vulnerabilities are confirmed in version 1.1.10. Other versions
may also be affected.
SOLUTION:
Update to version 1.1.11
PROVIDED AND/OR DISCOVERED BY:
SimpleAudit team
ORIGINAL ADVISORY:
http://code.google.com/p/smf2-review/issues/detail?id=10
http://code.google.com/p/smf2-review/issues/detail?id=11
http://code.google.com/p/smf2-review/issues/detail?id=17
http://code.google.com/p/smf2-review/issues/detail?id=42
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------