I know there's quite a few people here that use Simple Machines Forums, so I figure that the responsible thing to do would be to post this here...
(http://raz0r.name/vulnerabilities/simple-machines-forum/)[http://raz0r.name/vulnerabilities/simple-machines-forum/]
In a nutshell, if you do enough password resets on an account, you'll eventually get a reset key that evaluates to 0 or 1 due to PHP's type juggling. Unfortunately, SMF uses != instead of !== when checking the key, which means you can simply put 0 or 1 as the key in the password reset URL, and eventually get in. This, combined with an ineffective throttling on password resets (as long as you take less than 20 seconds between password resets, you can do unlimited resets!) means that you can crack an account in just a few hours.
The fix is pretty simple - in Sources/Reminder.php, find:
// Quit if this code is not right.
if (empty($_POST['code']) || substr($realCode, 0, 10) != substr(md5($_POST['code']), 0, 10))
and replace it with:
// Quit if this code is not right.
if (empty($_POST['code']) || substr($realCode, 0, 10) !== substr(md5($_POST['code']), 0, 10))