lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4BBF9BFB.7080002@pacbell.net>
Date: Fri, 09 Apr 2010 14:28:27 -0700
From: Susan Bradley <sbradcpa@...bell.net>
To: MustLive <mustlive@...security.com.ua>
Cc: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in phpCOIN

About Us:
http://phpcoin.com/mod.php?mod=siteinfo&id=4

It is with profound sorrow, sadness and regret, that COINSoft 
Technologies Inc. must announce the death of their lead developer 
Stephen M. Kitching (cantex) after a mercifully short battle with cancer.

Stephen was both an inspiration and good friend to everyone who knew and 
worked with him. He will be greatly missed, and his ingenuity and work 
will live on in the thoughts of all those, who were and will be touched, 
by the contributions he made to the software he dedicated his life to.

Our deepest sympathies, hearts and prayers go out to Steven's family and 
friends.

-------------

If I were a customer of theirs I'd be cutting them some slack.  I'm just 
sayin'.

MustLive wrote:
> Hello Bugtraq!
>
> I want to warn you about security vulnerabilities in system phpCOIN.
>
> -----------------------------
> Advisory: Vulnerabilities in phpCOIN
> -----------------------------
> URL: http://websecurity.com.ua/4090/
> -----------------------------
> Affected products: phpCOIN 1.6.5 and previous versions.
> -----------------------------
> Timeline:
> 17.03.2010 - found vulnerabilities.
> 01.04.2010 - disclosed at my site.
> 02.04.2010 - informed developers.
> -----------------------------
> Details:
>
> These are Insufficient Anti-automation and Denial of Service
> vulnerabilities.
>
> The vulnerabilities exist in captcha script CaptchaSecurityImages.php, 
> which
> is using in this system. I already reported about vulnerabilities in
> CaptchaSecurityImages (http://websecurity.com.ua/4043/).
>
> Insufficient Anti-automation:
>
> http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=150&height=100&characters=2 
>
>
> Captcha bypass is possible via half-automated or automated (with using of
> OCR) methods, which were mentioned before 
> (http://websecurity.com.ua/4043/).
>
> DoS:
>
> http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=1000&height=9000 
>
>
> With setting of large values of width and height it's possible to create
> large load at the server.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ