lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001801cad4ff$7571c620$010000c0@ml>
Date: Mon, 5 Apr 2010 23:34:07 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <bugtraq@...urityfocus.com>
Subject: Vulnerabilities in TAK cms

Hello Bugtraq!

I want to warn you about security vulnerabilities in TAK cms. It's Ukrainian
commercial CMS.

-----------------------------
Advisory: Vulnerabilities in TAK cms
-----------------------------
URL: http://websecurity.com.ua/4050/
-----------------------------
Timeline:
04.02.2009 - found vulnerabilities.
30.09.2009 - informed owners of web sites where I found these
vulnerabilities. Taking into account, that I didn't find any contact data of
developer of TAK cms, then I hope, that owners of that site informed him
about these vulnerabilities. This is one of those cases with commercial CMS,
where developers didn't leave any contact data and there is no information
about them in Internet.
19.03.2010 - disclosed at my site.
-----------------------------
Details:

These are Insufficient Anti-automation and Brute Force vulnerabilities.

Insufficient Anti-automation:

http://site/about/contacts/
http://site/register/getpassword/

At these pages there is not protection from automated requests (captcha).

Brute Force:

http://site/auth/
http://site/admin/

In login forms there is no protection from Brute Force attacks.

Vulnerable are all versions of TAK cms.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ