| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Nov 2011 01:05:02 +0200 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: New vulnerabilities in poMMo Hello list! I want to warn you about new security vulnerabilities in poMMo. In addition to previous XSS, BF and IAA vulnerabilities. These are Information Leakage, Insufficient Anti-automation and Abuse of Functionality vulnerabilities. ------------------------- Affected products: ------------------------- Vulnerable are all versions of poMMo (poMMo Aardvark PR16.1 and previous versions). ---------- Details: ---------- Information Leakage (WASC-13): After entering of e-mail at subscribe.php, at the page http://site/pommo/user/process.php the pending_code is showed (as debug information). Which allows to pass registration confirmation and which can be used for subscribing of arbitrary e-mails. Insufficient Anti-automation (WASC-21): http://site/pommo/user/confirm.php?code=32456bdc42bf333c7cf842924aabeba8 Due to lack of captcha at this page and with taking into account Insufficient Anti-automation at subscribe.php and Information Leakage at process.php, it's possible to automate subscription of people on mailing list. Abuse of Functionality (WASC-42): These vulnerabilities allow e-mail (login) enumeration attack, at that only login (without password) is used for user authentication. And also to use e-mails for spam purposes. http://site/pommo/user/update.php?email=1@1.com At setting of e-mail (which is login), which isn't in DB of subscribers, the redirect occurs, and if it's in DB then the message shows about incorrect code. http://site/pommo/user/activate.php?email=1@1.com At setting of e-mail (which is login), which isn't in DB of subscribers, the redirect occurs, and if it's in DB then the message shows that letter was sent on this e-mail. ------------ Timeline: ------------ 2011.08.17 - announced at my site. 2011.08.17 - informed developers. 2011.11.04 - disclosed at my site. I mentioned about these vulnerabilities at my site: http://websecurity.com.ua/5322/ Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists