nah, he'd be telling us how that was an easy way to find valid accounts. -Benji
On Thu, Apr 8, 2010 at 6:30 PM, T Biehn <[email protected]> wrote: > If there were an account lockout after 5 tries would you be telling us > about how there was a DOS vector on the same software? > > -Travis > > On Mon, Apr 5, 2010 at 4:35 PM, MustLive <[email protected]> > wrote: > > Hello Full-Disclosure! > > > > I want to warn you about security vulnerabilities in TAK cms. It's > Ukrainian > > commercial CMS. > > > > ----------------------------- > > Advisory: Vulnerabilities in TAK cms > > ----------------------------- > > URL: http://websecurity.com.ua/4050/ > > ----------------------------- > > Timeline: > > 04.02.2009 - found vulnerabilities. > > 30.09.2009 - informed owners of web sites where I found these > > vulnerabilities. Taking into account, that I didn't find any contact data > of > > developer of TAK cms, then I hope, that owners of that site informed him > > about these vulnerabilities. This is one of those cases with commercial > CMS, > > where developers didn't leave any contact data and there is no > information > > about them in Internet. > > 19.03.2010 - disclosed at my site. > > ----------------------------- > > Details: > > > > These are Insufficient Anti-automation and Brute Force vulnerabilities. > > > > Insufficient Anti-automation: > > > > http://site/about/contacts/ > > http://site/register/getpassword/ > > > > At these pages there is not protection from automated requests (captcha). > > > > Brute Force: > > > > http://site/auth/ > > http://site/admin/ > > > > In login forms there is no protection from Brute Force attacks. > > > > Vulnerable are all versions of TAK cms. > > > > Best wishes & regards, > > MustLive > > Administrator of Websecurity web site > > http://websecurity.com.ua > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > -- > FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C > http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on > http://pastebin.com/f6fd606da > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
