| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 Apr 2010 23:33:04 +0300 From: "MustLive" <mustlive@...security.com.ua> To: "Matteo Valenza" <ilmetu@...il.com> Cc: <bugtraq@...urityfocus.com> Subject: Re: Vulnerability in CB Captcha for Joomla and Mambo Hello Matteo Valenza! > how can i solve this issue quickly ? There are the next solutions for you: 1. Wait until developers of CB Captcha released new fixed version of the plugin. They are examining this vulnerability for some time already (at least Beat, developer of CB Captcha 2.x, because from two authors only he answered me). But Beat told me, that they will be releasing the new fixed version not very quickly (due to their standardized bugfixing process), so users of CB Captcha will need to wait for new release. 2. Contact Beat and ask him when developers will be releasing new version of plugin and to hurry them. 3. Fix the hole manually. It's the most quickest solution and it's possible that you was asking exactly about it. To fix this vulnerability in CB Captcha you need to do, what I recommend to developers of the plugin - to use standard algorithm of fixing such captcha bypass method, which I called session reusing with constant captcha bypass method and described in details in my MoBiC project in 2007. And it concerns all captcha-programs which are using sessions. The algorithm of fixing this issue in CaptchaSecurityImages.php (and it's concerns to CB Captcha and to all those webapps with this captcha in my last advisories, where I mentioned that) was described by developers of CaptchaSecurityImages.php already at 27.03.2007 at their site (http://www.white-hat-web-design.co.uk/articles/php-captcha.php). For that you need to clear session variable "security_code" (or other name which is used in the code of specific webapp). Use unset($_SESSION['security_code']); in the code when you are processing the form. This solution can be used for all affected web applications mentioned by me in last advisories (that have this hole). But concerning CB Captcha if it works in Joomla 1.0 and Mambo, it doesn't work in Joomla 1.5, because it uses another method to work with sessions and for it another code must be used (for clearing of session). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: "Matteo Valenza" <ilmetu@...il.com> To: "Susan Bradley" <sbradcpa@...bell.net> Cc: "MustLive" <mustlive@...security.com.ua>; <bugtraq@...urityfocus.com> Sent: Friday, April 16, 2010 8:08 PM Subject: Re: Vulnerability in CB Captcha for Joomla and Mambo how can i solve this issue quickly ? Thanks. Il giorno 15/apr/2010, alle ore 21.11, Susan Bradley ha scritto: > Dear Bugtraq. > > I am an admin of a site that has Captcha that spam gets through and the > CPU sucks. > > Honest question -- are you going to post about every site that has lousy > captcha? Would it be faster if us admins that have lousy captcha just > outted ourselves first? > > MustLive wrote: >> Hello Bugtraq! >> >> I want to warn you about security vulnerability in plugin CB Captcha >> (plug_cbcaptcha) for component Community Builder (com_comprofiler) for >> Joomla and Mambo. The posting of this advisory to mailing lists was >> delayed, >> because I found that there are two different vulnerable versions of >> plugin >> developed by different authors, so I needed to inform all authors. >> >> ----------------------------- >> Advisory: Vulnerability in CB Captcha for Joomla and Mambo >> ----------------------------- >> URL: http://websecurity.com.ua/4087/ >> ----------------------------- >> Affected products: CB Captcha 1.0.2 and previous versions (developed by >> Kotofeich), CB Captcha 2.2 and previous versions (developed by Beat). >> ----------------------------- >> Timeline: >> 17.03.2010 - found vulnerability. >> 31.03.2010 - disclosed at my site. >> 01.04.2010 - informed developer of CB Captcha 1.x. And because I found >> other >> version of the plugin by another author, and after checking it later I >> informed author of CB Captcha 2.x. >> 13.04.2010 - additionally informed developers of Community Builder (both >> joomlapolis.com and communitybuilder.ru). >> ----------------------------- >> Details: >> >> This is Insufficient Anti-automation vulnerability. >> >> This plugin is based on captcha script CaptchaSecurityImages.php and I >> already reported about vulnerabilities in CaptchaSecurityImages >> (http://websecurity.com.ua/4043/). And in plugin plug_cbcaptcha were >> fixed >> all Insufficient Anti-automation and Denial of Service vulnerabilities >> from >> original script, except one. >> >> Insufficient Anti-automation: >> >> In the plugin it's possible to bypass captcha with using of session >> reusing >> with constant captcha bypass method (http://websecurity.com.ua/1551/), >> which >> was described in project Month of Bugs in Captchas. With using of this >> method it's possible to bypass protection by sending the same code of >> captcha. >> >> It can be done at all pages where this plugin is used. In CB Captcha 1.x >> it's using at registration page, lost password form and lost email form. >> In >> CB Captcha 2.x, in addition to before-mentioned forms, it's using at >> contact >> form (in the presence of component CB Contact 1.1) and login form (in the >> presence of login module of CB 1.2). >> >> PoC: >> >> The PoC for this Insufficient Anti-automation vulnerability was provided >> to >> developers. Everyone who want can create such PoC from exploit provided >> in >> above-mentioned article from MoBiC project. >> >> Best wishes & regards, >> MustLive >> Administrator of Websecurity web site >> http://websecurity.com.ua
Powered by blists - more mailing lists