Hello Mueslix ! I want to warm you about Insufficient Content Filtering on FD.
------------ Timeline: ------------ 2005.12.24 - Mueslix got a computer 2005.12.31 - His friends didn't want to go out with him, so he read owasp instead 2006.01.02 - Found his first FDP 2011.03.29 - Still spaming this list with FDP, and an horribly broken En. On Thu, Mar 31, 2011 at 11:22 PM, MustLive <[email protected]>wrote: > Hello list! > > I want to warn you about Insufficient Anti-automation vulnerability in > MaxSite Anti Spam Image plugin for WordPress. > > This is modified version of original plugin Anti Spam Image, about > vulnerability in which I wrote in 2007 in my project Month of Bugs in > Captchas. This captcha is vulnerable to session reusing with constant > captcha bypass method, like original Anti Spam Image, on which base this > plugin is made. > > ------------------------- > Affected products: > ------------------------- > > Vulnerable are MaxSite Anti Spam Image 0.6 and potentially all other > versions of this plugin. > > ---------- > Details: > ---------- > > Insufficient Anti-automation (WASC-21): > > Exploit: > > > http://websecurity.com.ua/uploads/2011/MaxSite%20Anti%20Spam%20Image%20CAPTCHA%20bypass.html > > Vulnerability has place on old versions of PHP. It shows only in PHP < > 4.4.7, which has bug which leads to error in work of web application's > algorithm, which leads to possibility of captcha bypass. > > ------------ > Timeline: > ------------ > > 2007.12.01 - found vulnerability. > 2007.12.01 - informed developer. > 2011.03.29 - disclosed at my site. > > I mentioned about this vulnerability at my site > (http://websecurity.com.ua/5045/). > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
