lol. On Thu, Apr 8, 2010 at 4:30 PM, Benji <[email protected]> wrote: > nah, he'd be telling us how that was an easy way to find valid accounts. > > -Benji > > On Thu, Apr 8, 2010 at 6:30 PM, T Biehn <[email protected]> wrote: >> >> If there were an account lockout after 5 tries would you be telling us >> about how there was a DOS vector on the same software? >> >> -Travis >> >> On Mon, Apr 5, 2010 at 4:35 PM, MustLive <[email protected]> >> wrote: >> > Hello Full-Disclosure! >> > >> > I want to warn you about security vulnerabilities in TAK cms. It's >> > Ukrainian >> > commercial CMS. >> > >> > ----------------------------- >> > Advisory: Vulnerabilities in TAK cms >> > ----------------------------- >> > URL: http://websecurity.com.ua/4050/ >> > ----------------------------- >> > Timeline: >> > 04.02.2009 - found vulnerabilities. >> > 30.09.2009 - informed owners of web sites where I found these >> > vulnerabilities. Taking into account, that I didn't find any contact >> > data of >> > developer of TAK cms, then I hope, that owners of that site informed him >> > about these vulnerabilities. This is one of those cases with commercial >> > CMS, >> > where developers didn't leave any contact data and there is no >> > information >> > about them in Internet. >> > 19.03.2010 - disclosed at my site. >> > ----------------------------- >> > Details: >> > >> > These are Insufficient Anti-automation and Brute Force vulnerabilities. >> > >> > Insufficient Anti-automation: >> > >> > http://site/about/contacts/ >> > http://site/register/getpassword/ >> > >> > At these pages there is not protection from automated requests >> > (captcha). >> > >> > Brute Force: >> > >> > http://site/auth/ >> > http://site/admin/ >> > >> > In login forms there is no protection from Brute Force attacks. >> > >> > Vulnerable are all versions of TAK cms. >> > >> > Best wishes & regards, >> > MustLive >> > Administrator of Websecurity web site >> > http://websecurity.com.ua >> > >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> >> >> >> -- >> FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C >> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on >> http://pastebin.com/f6fd606da >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > >
-- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on http://pastebin.com/f6fd606da _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
