lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 13 Apr 2010 21:35:30 -0700
From: Kaddeh <kaddeh@...il.com>
To: MustLive <mustlive@...security.com.ua>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Insufficient Anti-automation and Denial of
	Service vulnerabilities in multiple systems

First off, I am curious how many of the developers responded to your
notification to them about these vulnerabilities.
Secondly, just a thought, if you are testing a piece of obscure software, at
least try and link to their site/repo or whatever.
Third, if all of these CMS vulns that you are finding are true, I am
assuming that they are possible, why are you testing CMS software that was
last updated 2 years ago like HoloCMS (at least, without proper links to
home pages, I can't tell short of doing a Google search).
Additionally, I would assume that you tested these on a machine that you
yourself have, specs of this machine would be nice, I know that I have seen
several vulns come through that can be reproduced, but you have to have a
very select configuration (ie, document.write "bugs" that only fail on
32-bit, VM issues with VT-x on 32-bit, etc)

Cheers

Kad

On Mon, Apr 12, 2010 at 1:42 PM, MustLive <mustlive@...security.com.ua>wrote:

> Hello Full-Disclosure!
>
> I want to warn you about Insufficient Anti-automation and Denial of Service
> vulnerabilities in multiple systems.
>
> It's additional information to my advisories about MiniManager for Project
> MANGOS and HoloCMS.
>
> I have reported already about Insufficient Anti-automation and Denial of
> Service vulnerabilities in CaptchaSecurityImages and in many systems which
> are using script CaptchaSecurityImages.php. And about vulnerabilities in
> some other systems (which already disclosed at my site) I'll write to the
> list soon, when the queue will come to them.
>
> As I mentioned before, there are many vulnerable web sites and web
> applications with CaptchaSecurityImages.php. And as you
> can see from all my advisories on this subject, there are really many
> vulnerable CMS with it. But it's just only those which I found in one
> Google dork, and there can be a lot of other systems which are using the
> same vulnerable CaptchaSecurityImages.php. E.g. those which not indexed by
> Google, open source systems which have no online SVN, commercial systems
> (as
> open source, as closed source which decided to use this GPL script) and
> those systems, which changed filename of CaptchaSecurityImages.php.
>
> So I made additional research on vulnerable systems previously reported by
> me, and found many projects which are also affected. Here is a list of them
> as an addition to my two previous advisories. I already combined
> information
> about vulnerabilities in GunCMS and PhoenixCMS PHP Edition into one
> advisory, and in this advisory I'm using the same approach. Where I combine
> multiple vulnerable systems into one advisory not by just using of the same
> script, but when they use codes of other systems.
>
> Concerning vulnerabilities in MiniManager for Project MANGOS
> (http://websecurity.com.ua/4061/):
>
> - Land of Legends Manager (LoL Manager) based on MiniManager for Project
> MANGOS (there is mentioning of CaptchaSecurityImages.php in code of the
> system, but in SVN there is no the file itself).
> - WoWCrackz MaNGOS based on MiniManager for Project MANGOS (only the path
> to
> CaptchaSecurityImages.php is different).
>
> Resulting list of affected software:
>
> Affected products: MiniManager for Project MANGOS 0.15 and previous
> versions, Land of Legends Manager, WoWCrackz MaNGOS.
>
> Concerning vulnerabilities in HoloCMS (http://websecurity.com.ua/4068/)
> and
> in addition to GunCMS and PhoenixCMS PHP Edition
> (http://websecurity.com.ua/4075/):
>
> - Baboh Emulator includes HoloCMS.
> - CoreCMS based on HoloCMS.
> - Holograph Emulator can include HoloCMS.
> - Holograph Emulator - Craigs Edition includes CoreCMS.
> - 0niCMS based on HoloCMS.
> - AJ-CMS it's new version of HoloCMS.
> - HoloCMS v3.2.0 Synergy it's new version of HoloCMS.
> - HoloCMSrW it's other version of HoloCMS.
> - Mir it's new version of HoloCMS.
> - Alexx Hotel includes HoloCMS.
>
> In most cases (except few ones) I have not succeed in viewing source codes
> of these CMS and in checking of existence in them of vulnerabilities from
> HoloCMS (due to lack of such codes in online SVN). But taking into account
> that all these projects use old vulnerable code of HoloCMS, then with no
> doubts they all are vulnerable.
>
> Resulting list of affected software:
>
> Affected products: HoloCMS 1.3.1, 3.1 and previous versions, GunCMS,
> PhoenixCMS PHP Edition, Baboh Emulator, CoreCMS, Holograph Emulator,
> Holograph Emulator - Craigs Edition, 0niCMS, AJ-CMS, HoloCMS v3.2.0
> Synergy,
> HoloCMSrW, Mir, Alexx Hotel.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ