Simple Machines Forum is a popular web community software written in PHP. Its password reset mechanism had some issues back in 2008. The vulnerability was caused by insecure random numbers generation and was patched right after the exploit was published. This time I found a more interesting vulnerability however at Positive Technologies we didn’t manage to raise awareness of SMF developers. After continuous silence of SMF devs I am disclosing the vulnerability details but I am not going to publish the exploit.