On 2011-04-22, at 09:21, MustLive wrote: > Information Leakage (WASC-13): > > Logins are names of the users at the forum (and so it's possible to reveal > logins at forum's pages).
You're kidding, right? Revealing the names of forum users is practically core functionality. There's no expectation whatsoever that they be kept secret - they're displayed all over the site, and a member list (giving you the ability to download ALL USER NAMES ON THE FORUM OMG) is enabled by default. > Insufficient Anti-automation (WASC-21): > > http://site/member.php?action=activate&uid=1 > > http://site/member.php?action=lostpw > > These functionalities have no protection from automated attacks (captcha). The first one requires an activation code sent by email. I suppose you could *try* to brute-force it, but you'd probably have better luck brute-forcing the password on the email address you sent the activation to. The second one... well, I suppose you could use it to try to determine whether email addresses belong to anyone on the forum, or send annoying password reset emails, but adding a CAPTCHA wouldn't really change that much. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
