Simple Machines Forum Validation Code Prediction Arbitrary Password Reset

high Nessus Plugin ID 34209

Synopsis

The remote web server contains a PHP application that is affected by a password reset vulnerability.

Description

The remote host is running Simple Machines Forum (SMF), an open source web forum application written in PHP.

The version of Simple Machines Forum installed on the remote host generates validation codes for its password reset functionality with 'rand()', which on Windows platforms has a maximum value of 32767 currently and is used as the seed for the next random number. An unauthenticated, remote attacker can leverage this issue to predict random numbers generated by 'rand()' and thus the validation codes for the password reset form, which could in turn enable him to reset the password for arbitrary users of the affected application, such as the administrator.

Solution

Upgrade to SMF 1.1.6 / 2.0 beta 4 or later.

See Also

http://www.simplemachines.org/community/index.php?topic=260145.0

Plugin Details

Severity: High

ID: 34209

File Name: smf_password_reset.nasl

Version: 1.19

Type: remote

Family: CGI abuses

Published: 9/15/2008

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:simplemachines:smf

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Reference Information

CVE: CVE-2008-6971

BID: 31053

CWE: 255

SECUNIA: 31750