I had another question too -- this one a bit more general. With services like deathbycaptcha, could CAPTCHA itself now be considered insufficient anti-automation, and how would you address that?
On Apr 25, 2011 11:59 AM, "MustLive" <[email protected]> wrote: > Hello Andrew! > >> You're kidding, right? > > No, I'm serious - as I'm always serious when talk about vulnerabilities. > >> Revealing the names of forum users is practically core functionality. > > Of course it's core functionality. But the hole, as I exactly wrote in my > advisory, is in revealing of logins. So issue is laying in using logins as a > names, so in result the showing names at different parts of the forum is > leading to leakage of logins. It's quite widespread in forum engines and > other webapps to disclose their logins (via different Information Leakage > and Abuse of Functionality holes) as nothing important. Some CMS like Drupal > even have official answer concerning this issue > (http://drupal.org/node/1004778). From my side, I've informed Drupal > developers about 8 login leakage holes which I found (in Drupal 6, new 7 > version must have them all, because of developers' ignoring of this issue) > and gave them recommendations why and how to fix such holes to not reveal > logins and to preserve Drupal's philosophy. > > Many forums (almost all) have similar login leakage vulnerabilities. For > example IPB and Vbulletin, which developers I've informed about them in > 2009. Like I informed many other developers and admins about such holes, > beside developers of MyBB (which ignored to fix them, as many like to do). > > I saw a lot of such vulnerabilities for more then six years. And in 2008 I > started to write about them at my site (like about holes in WordPress), > wrote article Enumerating logins via Abuse of Functionality vulnerabilities > (http://websecurity.com.ua/2840/) and starting from 2009 I've begun actively > fighting with them - by informing many admins and developers about such > vulnerabilities. In my practice most web developers and admins of sites > ignored such holes, but there were those who fixed them. For example > developers of IPB, which have such holes in IPB 1 and 2, after my informing > (at begging of 2009) fixed all such holes in their engine in IPB 3 (it have > released in summer 2009). It must be obvious why I'm using Invision Power > Board as engine for my forum for more then 6 years. > >> The first one requires an activation code sent by email. > > This IAA hole can be used for automatic registration. Altogether with IAA > hole at registration page. To put captcha to first or to second or to both > of the pages - it's up to developers. But the protection must be reliable. > > Plus they have login leakage in this functionality. I've informed developers > of MyBB about all (which I found at brief looking at this engine) login > leakage vulnerabilities. > >> The second one > > This functionality with IAA allows spammers to identify valid e-mails of > existing forum users and also allows to spam registered users from the forum > with "password recovery" letters. Both of which can be easily mitigated by > installing captcha at this functionality. > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > ----- Original Message ----- > From: "Andrew Farmer" <[email protected]> > To: "MustLive" <[email protected]> > Cc: "Full Disclosure" <[email protected]> > Sent: Saturday, April 23, 2011 10:32 PM > Subject: Re: [Full-disclosure] Multiple vulnerabilities in MyBB > > > On 2011-04-22, at 09:21, MustLive wrote: >> Information Leakage (WASC-13): >> >> Logins are names of the users at the forum (and so it's possible to reveal >> logins at forum's pages). > > You're kidding, right? > > Revealing the names of forum users is practically core functionality. > There's no expectation whatsoever that they be kept secret - they're > displayed all over the site, and a member list (giving you the ability to > download ALL USER NAMES ON THE FORUM OMG) is enabled by default. > > >> Insufficient Anti-automation (WASC-21): >> >> http://site/member.php?action=activate&uid=1 >> >> http://site/member.php?action=lostpw >> >> These functionalities have no protection from automated attacks (captcha). > > The first one requires an activation code sent by email. I suppose you could > *try* to brute-force it, but you'd probably have better luck brute-forcing > the password on the email address you sent the activation to. > > The second one... well, I suppose you could use it to try to determine > whether email addresses belong to anyone on the forum, or send annoying > password reset emails, but adding a CAPTCHA wouldn't really change that > much. > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
