CVE-2005-4891
published 2020-01-15CVE-2005-4891: Simple Machine Forum (SMF) versions 1.0.4 and earlier have an SQL injection vulnerability that allows remote attackers to inject arbitrary SQL statements.
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.76%
75.1th percentile
Simple Machine Forum (SMF) versions 1.0.4 and earlier have an SQL injection vulnerability that allows remote attackers to inject arbitrary SQL statements.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| simple_machine_forum | simple_machine_forum | — | — |
| simplemachines | simple_machine_forum | <= 1.0.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for URL-encoded UNION SELECT payloads in the `msg` parameter of SMF index.php requests, specifically targeting the smf_members table to extract memberName and passwd fields. ↗
- →Detect the exploit's characteristic User-Agent string 'SMF Hash Grabber v1.0' in HTTP request logs. ↗
- →Monitor for the `sesc` session token (32-char hex) being extracted and reused across requests — the exploit replaces the sesc parameter to bypass CSRF protection before issuing the injected modify-post request. ↗
- →Flag HTTP GET requests to index.php containing both a `msg` parameter and URL-encoded UNION SELECT … FROM smf_members patterns, indicating SQL injection via the modify-post action. ↗
- ·The SQL injection payload assumes the SMF database table prefix is `smf_` (i.e., `smf_members`). Installations using a custom table prefix will require a modified payload; detections hard-coded to this table name may miss such variants. ↗
- ·The login-success detection heuristic is based on response content length being less than 1024 bytes; modded SMF installs may alter this behaviour and cause the exploit script to fail at the authentication step. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2020-01-15
Published