| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Feb 2011 14:45:46 -0500 From: Justin Klein Keane <justin@...irish.net> To: full-disclosure@...ts.grok.org.uk Subject: Re: Brute Force and Abuse of Functionality vulnerabilities in Drupal -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MustLive: you're a little late to this party, see http://www.madirish.net/?article=443, published Dec 2009. The other issues you mention may already be disclosed. The Drupal Login Security module (http://drupal.org/project/login_security) is an effective mitigation for some of these problems. Do you do any research before you publish these advisories? Justin Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey On 02/18/2011 02:30 PM, MustLive wrote: > Hello list! > > I want to warn you about Brute Force and Abuse of Functionality > vulnerabilities in Drupal. > > ------------------------- > Affected products: > ------------------------- > > Vulnerable are Drupal 6.20 and previous versions. > > ---------- > Details: > ---------- > > Brute Force (WASC-11): > > In login form (http://site/user/) there is no reliable protection against > brute force attacks. There is no captcha in Drupal itself, and existent > Captcha module (http://websecurity.com.ua/4749/) is vulnerable (and also all > plugins to it, such as reCAPTCHA (http://websecurity.com.ua/4752/). > > Abuse of Functionality (WASC-42): > > At contact page (http://site/contact) and at page for contact with user > (http://site/user/1/contact) there is a possibility to send spam from the > site to arbitrary e-mails via function "Send yourself a copy". And with > using of Insufficient Anti-automation vulnerability it's possible to send > spam from the site in automated manner on a large scale. The attack with > using of this function is possible only for logged in users. > > For automated sending of spam it's needed to use before-mentioned > Insufficient Anti-automation vulnerabilities - there is no captcha in Drupal > itself, and existent captcha-module is vulnerable (and also all plugins to > it, such as reCAPTCHA). > > About such Abuse of Functionality vulnerabilities I wrote in article Sending > spam via sites and creating spam-botnets > (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html). > > Abuse of Functionality (WASC-42): > > At request to specific pages of the site with setting login > (http://site/users/user) it's possible to find existent logins of the users > at site (i.e. to enumerate logins). If shows "Access denied" - then such > login exists, and if "Page not found" - then no. > > At request to pages for contact with users (http://site/user/1/contact) > login of the user shows (i.e. it's possible to enumerate logins). The attack > is possible to conduct only for logged in users and it'll work only if > attacked user turned on the option "Personal contact form" in his profile. > > ------------ > Timeline: > ------------ > > 2010.12.15 - announced at my site. > 2010.12.16 - informed developers. > 2011.02.17 - disclosed at my site. > > I mentioned about these vulnerabilities at my site > (http://websecurity.com.ua/4763/). > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAk1ezF8ACgkQkSlsbLsN1gA3KAb9GAwPgHQPFrmPSam+i9/BDIm0 jiR7Yxx0A9ubv3xvQAyz+cVIvcXEXVE040PirkpcnC6lY4ZXWCdvzUiYVrkarlJC y6CZ8WVw8xsnjxZb382wHUE00SQF4rylAv4OP0WYDDUqjdEPA+CLxKfaO/LtrmIB b3QNPEkJhrxNnW6nHc+JeqAG6Ukz+0zpKen+Wi1IPaOR1XGMaiak7IjSdN91u/XV MHlOKyOr1NLEOMze2+rH8PexbrWAXuWyj74F+2lVOeiiD95ZY3CpnIVKJGb6G79h EuSuV/+JZ/Idj7pWIO4= =pZNB -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists