lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 9 Apr 2010 20:30:02 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: "Susan Bradley" <sbradcpa@...bell.net>
Cc: <bugtraq@...urityfocus.com>
Subject: Re: Vulnerabilities in Dunia Soccer

Hello Susan!

> Pardon me, but you disclosed it at your site before you informed the
> developers?

Yes, and there is a reason for it. In 99% I use advanced responsible
disclosure approach for informing admins and web developers about
vulnerabilities. But in this time I used responsible full disclosure. I
wrote in details about all disclosure policies (including these ones) in my
article "Hacking of web sites, security researches, disclosure and
legislation" in part 4 "Vulnerability disclosure"
(http://websecurity.com.ua/articles/security_researches_and_legislation/eng/).

It's because earlier I already disclosed details (at my site and to security
lists) of vulnerabilities in CaptchaSecurityImages (a captcha script which
is used in this CMS, as in many other CMS and web applications). So there
were no reasons to not write details about these holes in advisory at my
site, because all information is already public. So for all of these
vulnerable webapps I used responsible full disclosure approach.

> I don't even know what Dunia soccer is but how about you give vendors a
> chance to make good?

By informing developers of CaptchaSecurityImages.php, and additionally every
developer of every web app (which I found) which is using it (like Dunia
soccer), I'm giving them chance to make it good. Because developers of
CaptchaSecurityImages already fixed most of the holes in their script in
2007 and still many developers around the world are using vulnerable version
of the script or "develop" holes (by ignoring developer's recommendations),
I decided to inform those web developers also and to write additional
advisories. Not inform every site owner with this CaptchaSecurityImages.php
(there are too many of them), but inform all web developers who use this
script. It's only way to draw their attention to these issues.

If you'll look at my advisory about vulnerabilities in CaptchaSecurityImages
(http://www.securityfocus.com/archive/1/510276/30/30/threaded), you see that
I found these holes long time ago. I found them at one site and thought that
it's single site issue in custom made captcha. And I gave enough time to
admin of that site to fix those holes (but he ignored my warnings about the
holes). And only at 17.09.2009 when I found the same captcha script at
another site, I understood that it's popular captcha script and so these
holes are widespread. And after 16.03.2010 when I disclosed new hole at that
site, than on the next day I disclosed hole in CaptchaSecurityImages itself
and begun separately disclosing holes in different webapps which use it.

> Is it a vendor site that has information or is this a informational
> forum/sale of soccer stuff site that has a buggy captcha

I found this captcha at some sites before I understood that this is popular
and widespread captcha script. But then I'm only researching holes in
webapps - via google dork which reveals me a lot of SVNs with this
vulnerable captcha script (and so I found a lot of different webapps with
it). I don't know nothing about Dunia soccer and other systems, such as
WeBAM, TooFAST, ArcManager, MiniManager for Project
MANGOS, NoCMS, HoloCMS, GunCMS, PhoenixCMS PHP Edition and phpCOIN (which I
wrote to Bugtraq and I'd write about others). I just found these holes
(concerned with CaptchaSecurityImages) in their source codes in online SVNs.

> The vulnerability ...or rather the bug is in the captcha code, this is
> just a site using it, right?

I'm not writing about bugs, only about vulnerabilities :-). And I regularly
found holes at single sites (which often uses some engines). But in my
advisories I'm talking only about webapps. As I said above, there are many
web applications which are using this captcha, and I wrote to security
mailing lists about some of them and I'd write about others soon.

> But really, for this type of bug do you really need to be trying to
> "shame" someone into fixing it or just informing the site that there's a
> page that is sucking CPU cycles and able to bypass the captcha to post
> spam?

When I found the holes at the site, I'm informing admin of the site (and for
more than five year I informed a lot of admins of the sites about a lot of
holes). I don't write (in most cases) to mailing lists about holes in single
site, only in webapps.

> Why not give the admin of the site a chance?

For more than five year that I'm working in webappsec, I'm always giving
every admin and web developer a chance to fix (I use advanced responsible
disclosure in 99%). And in most cases they just do lame things, like
ignoring and not fixing, or badly fixing, or hiddenly fixing without
thanking me, like it was with securityfocus.com in 2006 and many others.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Susan Bradley" <sbradcpa@...bell.net>
To: "MustLive" <mustlive@...security.com.ua>
Cc: <bugtraq@...urityfocus.com>
Sent: Thursday, April 08, 2010 10:05 PM
Subject: Re: Vulnerabilities in Dunia Soccer


> Timeline:
> 17.03.2010 - found vulnerabilities.
> 30.03.2010 - disclosed at my site.
> 31.03.2010 - informed developers.
> -----------------------------
>
> Pardon me, but you disclosed it at your site before you informed the
> developers?
> I don't even know what Dunia soccer is but how about you give vendors a
> chance to make good?
>
> Is it a vendor site that has information or is this a informational
> forum/sale of soccer stuff site that has a buggy captcha that makes the
> server admin wonder what is chewing up the CPU and why spam is still
> making it to the site?
>
> The vulnerability ...or rather the bug is in the captcha code, this is
> just a site using it, right?
>
> But really, for this type of bug do you really need to be trying to
> "shame" someone into fixing it or just informing the site that there's a
> page that is sucking CPU cycles and able to bypass the captcha to post
> spam?
>
> Why not give the admin of the site a chance?
>
> MustLive wrote:
>> Hello Bugtraq!
>>
>> I want to warn you about security vulnerabilities in system Dunia Soccer.
>>
>> -----------------------------
>> Advisory: Vulnerabilities in Dunia Soccer
>> -----------------------------
>> URL: http://websecurity.com.ua/4083/
>> -----------------------------
>> Affected products: all versions of Dunia Soccer.
>> -----------------------------
>> Timeline:
>> 17.03.2010 - found vulnerabilities.
>> 30.03.2010 - disclosed at my site.
>> 31.03.2010 - informed developers.
>> -----------------------------
>> Details:
>>
>> These are Insufficient Anti-automation and Denial of Service
>> vulnerabilities.
>>
>> The vulnerabilities exist in captcha script CaptchaSecurityImages.php,
>> which
>> is using in this system. I already reported about vulnerabilities in
>> CaptchaSecurityImages (http://websecurity.com.ua/4043/).
>>
>> Insufficient Anti-automation:
>>
>> http://site/class/captcha/CaptchaSecurityImages.php?width=150&height=100&characters=2
>>
>> Captcha bypass is possible as via half-automated or automated (with using
>> of
>> OCR) methods, which were mentioned before
>> (http://websecurity.com.ua/4043/),
>> as with using of session reusing with constant captcha bypass method
>> (http://websecurity.com.ua/1551/), which was described in project Month
>> of
>> Bugs in Captchas.
>>
>> DoS:
>>
>> http://site/class/captcha/CaptchaSecurityImages.php?width=1000&height=9000
>>
>> With setting of large values of width and height it's possible to create
>> large load at the server.
>>
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>> http://websecurity.com.ua

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ