lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 08 Apr 2010 12:05:21 -0700
From: Susan Bradley <sbradcpa@...bell.net>
To: MustLive <mustlive@...security.com.ua>
Cc: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in Dunia Soccer

Timeline:
17.03.2010 - found vulnerabilities.
30.03.2010 - disclosed at my site.
31.03.2010 - informed developers.
-----------------------------

Pardon me, but you disclosed it at your site before you informed the 
developers? 

I don't even know what Dunia soccer is but how about you give vendors a 
chance to make good?

Is it a vendor site that has information or is this a informational 
forum/sale of soccer stuff site that has a buggy captcha that makes the 
server admin wonder what is chewing up the CPU and why spam is still 
making it to the site?

The vulnerability ...or rather the bug is in the captcha code, this is 
just a site using it, right?

But really, for this type of bug do you really need to be trying to 
"shame" someone into fixing it or just informing the site that there's a 
page that is sucking CPU cycles and able to bypass the captcha to post spam?

Why not give the admin of the site a chance?

MustLive wrote:
> Hello Bugtraq!
>
> I want to warn you about security vulnerabilities in system Dunia Soccer.
>
> -----------------------------
> Advisory: Vulnerabilities in Dunia Soccer
> -----------------------------
> URL: http://websecurity.com.ua/4083/
> -----------------------------
> Affected products: all versions of Dunia Soccer.
> -----------------------------
> Timeline:
> 17.03.2010 - found vulnerabilities.
> 30.03.2010 - disclosed at my site.
> 31.03.2010 - informed developers.
> -----------------------------
> Details:
>
> These are Insufficient Anti-automation and Denial of Service
> vulnerabilities.
>
> The vulnerabilities exist in captcha script CaptchaSecurityImages.php, 
> which
> is using in this system. I already reported about vulnerabilities in
> CaptchaSecurityImages (http://websecurity.com.ua/4043/).
>
> Insufficient Anti-automation:
>
> http://site/class/captcha/CaptchaSecurityImages.php?width=150&height=100&characters=2 
>
>
> Captcha bypass is possible as via half-automated or automated (with 
> using of
> OCR) methods, which were mentioned before 
> (http://websecurity.com.ua/4043/),
> as with using of session reusing with constant captcha bypass method
> (http://websecurity.com.ua/1551/), which was described in project 
> Month of
> Bugs in Captchas.
>
> DoS:
>
> http://site/class/captcha/CaptchaSecurityImages.php?width=1000&height=9000 
>
>
> With setting of large values of width and height it's possible to create
> large load at the server.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ