At the start of 2021 three vulnerability reports were published describing alleged SmartFoxServer 2.17.0 (the latest version as of March 2021) exploits. We exchanged several emails with the individual who created the reports prior to their publishing, pointing out evident flaws in the findings but they were still published without correcting those glaring mistakes.
The reports
The following are the reports in question:
They all refer to a so called “God Mode Console”, an additional Admin Tool module which is always inactive by default in any SmartFoxServer installation. The module can be activated by an Admin via multiple manual steps and it can be used to debug a live server at runtime, typically when a bug or issue cannot be reproduced locally but it manifests in a live environment.
NOTE: the console cannot be activated or remotely accessed. It requires the server admin to manually activate it and use it.
Given this premise it goes without saying that the first “vulnerability” report is a just an example of bad security reporting. The whole point of the console is to execute arbitrary commands and an attacker that has local access and credentials to enable the console is already in control of the target server. Even after explaining these points to the “researcher” prior to publication, he went ahead and posted the alleged exploit.
The 2nd entry in the list claims that the Admin password is stored in clear text, which is correct, and flags it as medium threat. We agree with the claim and we can also provide further details: there aren’t many better ways to secure such password and a clear text file can be efficiently secured by way of user permission management.
For more info on securing clear-text passwords, please take a look at this discussion on StackOverflow.
The 3rd and last entry reports an XSS (cross site scripting) exploit without actually showing any evidence of the “cross site” part. As already clarified this is an admin-only console that is not accessible to the outside world and disabled by default, but the author willfully ignored it and reported it as a vulnerability.
If there’s any other questions regarding these issues you can get in touch with us via the support section found on our website.