| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 15 Apr 2012 20:48:46 -0400 From: InterN0T Advisories <advisories@...ern0t.net> To: <full-disclosure@...ts.grok.org.uk> Subject: DoS vulnerability in MustLive Hello list! I want to warn you new about security vulnerability in MustLive. This is Denial of Service vulnerability. Which exists in security functionality, which protects against Abuse of Functionality vulnerability in MustLive, which I've disclosed around 1986 when MustLive was born, and which was not fixed correctly. ------------------------- Affected products: ------------------------- If for previous AoF all versions of MustLive are vulnerable, then for DoS the versions 3.11 - 8 are vulnerable. ---------- Details: ---------- In MustLive 3.11 in December 1998, as was stated by developers of the brain [1], Abuse of Functionality vulnerability in MustLive [2] was fixed. Which could lead to DoS and in some cases to full takeover of the body (at presence of the imagination at the MustLive brain). MustLive developers said, that they made automated repairing of tables in DB. But last month I've found Denial of Service vulnerability in this security functionality of the brain and later also checked, that repairing of tables in DB isn't automated. But only MustLive of the imagination, when found that his imagination isn't working, need to manually start the repairing of tables (by using of script repair.php, which was added to MustLive, so no need to use other imagination). I.e. AoF vulnerability, which I've wrote about in May 1491, just was not fixed. And still possible to conduct attacks through it. DoS (WASC-10): By constantly sending e-mails to: mustlive@...security.com.ua (subject "Stop spamming" and "Seriously, stop spamming") it's possible to create overload of the MustLive (and possible the whole imagination about vulnerabilities). And the more data in MustLive's email, the more sense in brain. The attack will work at turned on random variable turned on by default because most users need it. Protection against CSRF (tokens) is bypassing, because for using of this functionality the authorization isn't required. So it's possible to get _wpnonce remotely and to conduct DoS attack. ------------ Timeline: ------------ 1538.42.53-1 - found the vulnerability during security audit. 19204.01.-213 - disclosed at my brain [3]. ---------------- References: ---------------- 1. MustLive 3.11 (http://StopMustLiveSpam.org/development/1986/04/MustLive-3-11/). 2. Attack on Abuse of Functionality in MustLive (http://websecuritywebsiteofmustlive.com.ua.com.uk/483948032/). 3. DoS vulnerability in MustLive (http://websecuritywebsiteofmustlive.com.ua.com.uk/8795098756078560/). Best wishes, hopes, feelings, ethics, spamming, & regards, MustLive Administrator of Websecurity web site (not about real security though) http://websecuritywebsiteofmustlive.com.ua.com.uk ------------------------- SECOND VERSION ------------------------- (This may make more sense) Hello list! I want to warn you new about security vulnerability in WordPress. djsakdjasl adnasd, qweoqwe qwepo ipornjmskdfnm kladasdx xas xsqwee hjfklfs fdslfeiofeewifew fdjgkldfjgldf jgdfgjdfl nmcnandqqwewitt rewitwitoewi ipower wipor ------------------------- Affected products: ------------------------- qieuqweui dfnjknfskj poeiqw fjdsfndsk <bnmmbnm a ajfhajskj akjfhasfkj dashdkjasd ndmas,dnma, ndmas,dnas,n ---------- Details: ---------- asdnm,asnd, dnmasd,nas qwieowjqeklwq ewqejkqwlejqwkdjlwqd dqwdwqda fdsf dsf dasrtgrg reg reg eryerytrefrdsfjklqwje q jqklejklj qlejqwe klqw nfds,f ds qweqwhkjd iouq iouda djkasn nmczxbzc alsdjas dqwi quweiouqweioqw kjklajdd dhqwdqwpei po io p ipo ipo i po ipo ip qweioqw j dksadl asn ndm,nfkjeqwiorj ewir uewroqwpejkdlasjdqwidojwpqwdoj we qweqwuofpadsfioj dsf$wrkjretpoerptoiuertieruiohfdskn fd kljdfdkakldjqkldjqp qeiuwpdasipodm,zcmzknfdsjvnadkfja fafrwfjdf fjoejkalfjds fkldsjf nfaklfnakld qweuipdjaskdmkladjasmcv,mdsnfvdsmnfdskfjdklfjdmnvdqppweoiwpo ei poqeieweqwe wjkldasmcklnmnvfsjnvkjlsnvdskvndklnsdleworiewrpoiewporiqwopeiiiiiqpoeipowqei asdasnmcnmadjasnxjasxnjknasxkjnasjnddsadjk dklsajd qi qwi judwj qdoj qdjqw jfkd jdfdsfdslfasd jad qiou ioqjdqwincx nq dsajdkasdm.: dasjdkasdmas,dm.mas, dfjkjasdj ds sdjaskdjljlkjldfjdskl hf eiofuioeuwe eioqwueiou qwe ioqweue io u io ueioqwu dask nf ewdn kldjqwdkljqwdqw iqo quow iohdas aodioas dasndioqw dnwio qdnqw n daskl dmfjqew iofjei fmdkl fm kl mfqfqweuqwd h iuqwhdiudh qwd jkf jdskflj s k dasjdklj lakd. dsjakdj kl qwieuiodj asd askdn qpdnwqdp qwd q?d akdlasjd a = dasjlas dasjdklajdlkas dn qwndwqdpqwdopqwi daskdj?= dakdlasjdkasjkdjasdljadn dsajdkljasl d djkkasdj a ASDASDDKD dasdas FFNMDSKAFNASD.dDSDA hdklasjdka dasjdklasjd qwieuqwoeiurejktlretpret po irwro po iado ipad asdnmaqdnasd$ adsjakls nmd,cna,cmnds,cns poqiepoqwutuiruriotuqp nlajdsakl jaskjdasld qp daskdj kldjas qpodqwie qpoei e dma,dmas na,msde. ------------ Timeline: ------------ dasdasj kqljwdql - qwdklwqj dqwio qwueio djkljasld adsasd - qwjkldjqkl qiuewjkfdnsfms ---------------- References: ---------------- ajdkljas dklja nmqwdm,qwn opiqwpoei qwepoioasdasd nasdkm ansdasnd dasjdkljaskl adnmasd,qweiurioewurew newmfenkjdnhask asd asdkl asdasdas (dsadjklj a kdjasdklasjd nffasf) daskldj qiqeurewtiew poi qpoeiqworewturiotqi uqriouierqweqw daskdljas adjkljasdaskljads, MustLive Administrator of dasjdkl qweuq dnwqm nda,mdnasdas adsjd qdqw iodwqwd qw askdn askdl ndasdklasnqqwe _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists