lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 09 Apr 2010 12:16:00 -0700
From: Susan Bradley <sbradcpa@...bell.net>
To: MustLive <mustlive@...security.com.ua>
Cc: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in Dunia Soccer

If an admin who doesn't follow bugtraq doesn't know about the issue it's 
not full disclosure to him.  It's like when you hear about a "known 
issue" from Microsoft.   If I didn't know about it, how in the heck is 
it a known issue?  Just because someone in Redmond knows about it 
doesn't mean the rest of us do.

I have captcha on a blog site I run. I get folks able to bypass the 
filter and post spam comments that get filtered and then a week later or 
so gets deleted off and the CPU use on the site sucks.  But that could 
also be the software I'm running.

Maybe I'm jaded but I'm my understanding of the risk is right, if all 
they can do is bypass my spam filters and run up my CPU cycles I'm not 
sure I'd call this a vulnerability.  Bug yes.  I guess I define 
vulnerability more strictly in terms of actual damage, remote access, 
harsh impact to the users of the site, loss of sensitive account 
information, etc, more damage than just forcing me to buy beefier 
hardware and wonder why I occasionally get a spam posted, but maybe I'm 
wrong in my jaded patchers/risk view.

17.03.2010 - found vulnerabilities.
30.03.2010 - disclosed at my site.
31.03.2010 - informed developers.

My specific question is did you contact the admin of this particular 
site ahead of time with this information.  Based on your timeline you 
say you found it, you disclosed this issue on your site, then informed 
developers.   Then posting here 7 days afterwards seems a bit of a short 
window to give an admin time to do anything.

I'm pretty sure I have the same issue on my site but given that we're 
planning to migrate off that platform soon anyway I'd probably live with 
the issue and not take any action if you contacted me.  I'd thank you 
and explain that while the cpu suck was a bother along with the 
occasional pharma spam post getting through, I'd probably live with it 
given the short time frame we plan to be on that platform.

All I'm saying is that in your timeline - disclosed at your site 
http://websecurity.com.ua/4083/  and then informing Dunia Soccer, I'm 
not sure is fair to the folks that run that site.  If I were that site's 
admin and if I'm understanding your disclosure process correctly, I 
wouldn't feel that you'd contacted me first and given me a chance to 
respond is all I'm saying.





MustLive wrote:
> Hello Susan!
>
>> Pardon me, but you disclosed it at your site before you informed the
>> developers?
>
> Yes, and there is a reason for it. In 99% I use advanced responsible
> disclosure approach for informing admins and web developers about
> vulnerabilities. But in this time I used responsible full disclosure. I
> wrote in details about all disclosure policies (including these ones) 
> in my
> article "Hacking of web sites, security researches, disclosure and
> legislation" in part 4 "Vulnerability disclosure"
> (http://websecurity.com.ua/articles/security_researches_and_legislation/eng/). 
>
>
> It's because earlier I already disclosed details (at my site and to 
> security
> lists) of vulnerabilities in CaptchaSecurityImages (a captcha script 
> which
> is used in this CMS, as in many other CMS and web applications). So there
> were no reasons to not write details about these holes in advisory at my
> site, because all information is already public. So for all of these
> vulnerable webapps I used responsible full disclosure approach.
>
>> I don't even know what Dunia soccer is but how about you give vendors a
>> chance to make good?
>
> By informing developers of CaptchaSecurityImages.php, and additionally 
> every
> developer of every web app (which I found) which is using it (like Dunia
> soccer), I'm giving them chance to make it good. Because developers of
> CaptchaSecurityImages already fixed most of the holes in their script in
> 2007 and still many developers around the world are using vulnerable 
> version
> of the script or "develop" holes (by ignoring developer's 
> recommendations),
> I decided to inform those web developers also and to write additional
> advisories. Not inform every site owner with this 
> CaptchaSecurityImages.php
> (there are too many of them), but inform all web developers who use this
> script. It's only way to draw their attention to these issues.
>
> If you'll look at my advisory about vulnerabilities in 
> CaptchaSecurityImages
> (http://www.securityfocus.com/archive/1/510276/30/30/threaded), you 
> see that
> I found these holes long time ago. I found them at one site and 
> thought that
> it's single site issue in custom made captcha. And I gave enough time to
> admin of that site to fix those holes (but he ignored my warnings 
> about the
> holes). And only at 17.09.2009 when I found the same captcha script at
> another site, I understood that it's popular captcha script and so these
> holes are widespread. And after 16.03.2010 when I disclosed new hole 
> at that
> site, than on the next day I disclosed hole in CaptchaSecurityImages 
> itself
> and begun separately disclosing holes in different webapps which use it.
>
>> Is it a vendor site that has information or is this a informational
>> forum/sale of soccer stuff site that has a buggy captcha
>
> I found this captcha at some sites before I understood that this is 
> popular
> and widespread captcha script. But then I'm only researching holes in
> webapps - via google dork which reveals me a lot of SVNs with this
> vulnerable captcha script (and so I found a lot of different webapps with
> it). I don't know nothing about Dunia soccer and other systems, such as
> WeBAM, TooFAST, ArcManager, MiniManager for Project
> MANGOS, NoCMS, HoloCMS, GunCMS, PhoenixCMS PHP Edition and phpCOIN 
> (which I
> wrote to Bugtraq and I'd write about others). I just found these holes
> (concerned with CaptchaSecurityImages) in their source codes in online 
> SVNs.
>
>> The vulnerability ...or rather the bug is in the captcha code, this is
>> just a site using it, right?
>
> I'm not writing about bugs, only about vulnerabilities :-). And I 
> regularly
> found holes at single sites (which often uses some engines). But in my
> advisories I'm talking only about webapps. As I said above, there are 
> many
> web applications which are using this captcha, and I wrote to security
> mailing lists about some of them and I'd write about others soon.
>
>> But really, for this type of bug do you really need to be trying to
>> "shame" someone into fixing it or just informing the site that there's a
>> page that is sucking CPU cycles and able to bypass the captcha to post
>> spam?
>
> When I found the holes at the site, I'm informing admin of the site 
> (and for
> more than five year I informed a lot of admins of the sites about a 
> lot of
> holes). I don't write (in most cases) to mailing lists about holes in 
> single
> site, only in webapps.
>
>> Why not give the admin of the site a chance?
>
> For more than five year that I'm working in webappsec, I'm always giving
> every admin and web developer a chance to fix (I use advanced responsible
> disclosure in 99%). And in most cases they just do lame things, like
> ignoring and not fixing, or badly fixing, or hiddenly fixing without
> thanking me, like it was with securityfocus.com in 2006 and many others.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message ----- From: "Susan Bradley" <sbradcpa@...bell.net>
> To: "MustLive" <mustlive@...security.com.ua>
> Cc: <bugtraq@...urityfocus.com>
> Sent: Thursday, April 08, 2010 10:05 PM
> Subject: Re: Vulnerabilities in Dunia Soccer
>
>
>> Timeline:
>> 17.03.2010 - found vulnerabilities.
>> 30.03.2010 - disclosed at my site.
>> 31.03.2010 - informed developers.
>> -----------------------------
>>
>> Pardon me, but you disclosed it at your site before you informed the
>> developers?
>> I don't even know what Dunia soccer is but how about you give vendors a
>> chance to make good?
>>
>> Is it a vendor site that has information or is this a informational
>> forum/sale of soccer stuff site that has a buggy captcha that makes the
>> server admin wonder what is chewing up the CPU and why spam is still
>> making it to the site?
>>
>> The vulnerability ...or rather the bug is in the captcha code, this is
>> just a site using it, right?
>>
>> But really, for this type of bug do you really need to be trying to
>> "shame" someone into fixing it or just informing the site that there's a
>> page that is sucking CPU cycles and able to bypass the captcha to post
>> spam?
>>
>> Why not give the admin of the site a chance?
>>
>> MustLive wrote:
>>> Hello Bugtraq!
>>>
>>> I want to warn you about security vulnerabilities in system Dunia 
>>> Soccer.
>>>
>>> -----------------------------
>>> Advisory: Vulnerabilities in Dunia Soccer
>>> -----------------------------
>>> URL: http://websecurity.com.ua/4083/
>>> -----------------------------
>>> Affected products: all versions of Dunia Soccer.
>>> -----------------------------
>>> Timeline:
>>> 17.03.2010 - found vulnerabilities.
>>> 30.03.2010 - disclosed at my site.
>>> 31.03.2010 - informed developers.
>>> -----------------------------
>>> Details:
>>>
>>> These are Insufficient Anti-automation and Denial of Service
>>> vulnerabilities.
>>>
>>> The vulnerabilities exist in captcha script CaptchaSecurityImages.php,
>>> which
>>> is using in this system. I already reported about vulnerabilities in
>>> CaptchaSecurityImages (http://websecurity.com.ua/4043/).
>>>
>>> Insufficient Anti-automation:
>>>
>>> http://site/class/captcha/CaptchaSecurityImages.php?width=150&height=100&characters=2 
>>>
>>>
>>> Captcha bypass is possible as via half-automated or automated (with 
>>> using
>>> of
>>> OCR) methods, which were mentioned before
>>> (http://websecurity.com.ua/4043/),
>>> as with using of session reusing with constant captcha bypass method
>>> (http://websecurity.com.ua/1551/), which was described in project Month
>>> of
>>> Bugs in Captchas.
>>>
>>> DoS:
>>>
>>> http://site/class/captcha/CaptchaSecurityImages.php?width=1000&height=9000 
>>>
>>>
>>> With setting of large values of width and height it's possible to 
>>> create
>>> large load at the server.
>>>
>>> Best wishes & regards,
>>> MustLive
>>> Administrator of Websecurity web site
>>> http://websecurity.com.ua
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ