lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 4 May 2011 23:50:31 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: "Zach C." <fxchip@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Multiple vulnerabilities in MyBB

Hi Zach!

> With services like deathbycaptcha, could CAPTCHA itself now be considered insufficient anti-automation,

Any captcha which has no vulnerabilities in code itself (such as those described by me in 2007 in my project Month of Bugs in Captchas) can't be considered as Insufficient Anti-automation by default, regardless of existence of Deathbycaptcha and other services of type Captcha Solver as a Service.

Holes in algorithms of captchas are a posteriori holes, so they are exactly IAA. And attacks via OCR or "hired" humans are a priori holes - the holes in idea itself. And they are considered by creators of captcha, at least they should be considered :-). So user of every secure (to a posteriori holes) captcha need to take into account that there are exist OCR or "hired" humans (a priori holes), which can create a problems. Which also can come from different Captcha Solver as a Service. And if such problems will appear, then there can be made improvements in captcha or used other methods of protection.

> and how would you address that?

By improving of the captcha. You could see such "hard captchas", where it's hard to see the text on it or with mathematical equation. Such captchas can create a serious problems for OCR and "hired" humans (but also can complicate process for legitimate users of the site). So it's up to every admin to decide what is more important to him - usability for users (and OCR and "hired" humans), or security of his site.

Also there can be used other methods (captcha-less) if captcha is not optimal for concrete site. Like putting some functionality into user account (to make it post-auth, but there must be no other holes, like those which I wrote about in my article Attacks on unprotected login forms (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html)), using of automated anti-spam services and other methods - all of which have different nuances with usability. So it must be carefully chosen for every particular case.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
  ----- Original Message ----- 
  From: Zach C. 
  To: MustLive 
  Cc: Andrew Farmer ; full-disclosure@...ts.grok.org.uk 
  Sent: Wednesday, April 27, 2011 10:57 PM
  Subject: Re: [Full-disclosure] Multiple vulnerabilities in MyBB


  I had another question too -- this one a bit more general. With services like deathbycaptcha, could CAPTCHA itself now be considered insufficient anti-automation, and how would you address that?

  On Apr 25, 2011 11:59 AM, "MustLive" <mustlive@...security.com.ua> wrote:
  > Hello Andrew!
  > 
  >> You're kidding, right?
  > 
  > No, I'm serious - as I'm always serious when talk about vulnerabilities.
  > 
  >> Revealing the names of forum users is practically core functionality.
  > 
  > Of course it's core functionality. But the hole, as I exactly wrote in my
  > advisory, is in revealing of logins. So issue is laying in using logins as a
  > names, so in result the showing names at different parts of the forum is
  > leading to leakage of logins. It's quite widespread in forum engines and
  > other webapps to disclose their logins (via different Information Leakage
  > and Abuse of Functionality holes) as nothing important. Some CMS like Drupal
  > even have official answer concerning this issue
  > (http://drupal.org/node/1004778). From my side, I've informed Drupal
  > developers about 8 login leakage holes which I found (in Drupal 6, new 7
  > version must have them all, because of developers' ignoring of this issue)
  > and gave them recommendations why and how to fix such holes to not reveal
  > logins and to preserve Drupal's philosophy.
  > 
  > Many forums (almost all) have similar login leakage vulnerabilities. For
  > example IPB and Vbulletin, which developers I've informed about them in
  > 2009. Like I informed many other developers and admins about such holes,
  > beside developers of MyBB (which ignored to fix them, as many like to do).
  > 
  > I saw a lot of such vulnerabilities for more then six years. And in 2008 I
  > started to write about them at my site (like about holes in WordPress),
  > wrote article Enumerating logins via Abuse of Functionality vulnerabilities
  > (http://websecurity.com.ua/2840/) and starting from 2009 I've begun actively
  > fighting with them - by informing many admins and developers about such
  > vulnerabilities. In my practice most web developers and admins of sites
  > ignored such holes, but there were those who fixed them. For example
  > developers of IPB, which have such holes in IPB 1 and 2, after my informing
  > (at begging of 2009) fixed all such holes in their engine in IPB 3 (it have
  > released in summer 2009). It must be obvious why I'm using Invision Power
  > Board as engine for my forum for more then 6 years.
  > 
  >> The first one requires an activation code sent by email.
  > 
  > This IAA hole can be used for automatic registration. Altogether with IAA
  > hole at registration page. To put captcha to first or to second or to both
  > of the pages - it's up to developers. But the protection must be reliable.
  > 
  > Plus they have login leakage in this functionality. I've informed developers
  > of MyBB about all (which I found at brief looking at this engine) login
  > leakage vulnerabilities.
  > 
  >> The second one
  > 
  > This functionality with IAA allows spammers to identify valid e-mails of
  > existing forum users and also allows to spam registered users from the forum
  > with "password recovery" letters. Both of which can be easily mitigated by
  > installing captcha at this functionality.
  > 
  > Best wishes & regards,
  > MustLive
  > Administrator of Websecurity web site
  > http://websecurity.com.ua

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ