Even default smf installation doesn't even use htaccess to protect admin panel On 11/6/07, Matt D. Harris <mdh@xxxxxxxxxxx> wrote: > So what you're saying is that .htaccess is working as expected. What > does this have to do with SMForum? Using .htaccess to protect the admin > section is not at all standard in SMForum, so I'm not really sure how or > why this is relevant. Furthermore, SMForum still has its own > authentication mechanisms. This doesn't seem like a bug/issue at all, > just software working as intended, even if someone chooses to use it in > an unusual and insecure manner. > - mdh > > h3llcode@xxxxxxxxxx wrote: > > # ./start > > # > > # Discovered by Seph1roth on June 2007 (was priv8) > > # > > # Vulnerable: Simple Machine Forum [ALL Versions] > > # > > # Visit: http://www.blackroots.it - Best hacking site. > > # > > # Description: > > > > If smf has index.php?action=admin in .htaccess ,i can bypass that by > typing in the url some variable of administration panel : > > > > example: > > > > index.php?action=admin (.htaccess,then access denied) > > index.php?action=membergroups (accessible) > > index.php?action=news (accessible) > > index.php?action=featuresettings (accessible) > > > > ...and others... > > > > i can bypass and enter the administration by typing the accessible > variables in the url... > > > > # Greets to all BlackRoots Users > > # > > # Shoutz to all kiddies > > # > > # ./end > > > > -- > /* > * mdh - Solitox Networks (Lead Project Engineer) > * Facts often matter little, in the face of fervently held perceptions > */ > -- Anuj
