lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 16 Apr 2010 11:24:22 -0700
From: Susan Bradley <sbradcpa@...bell.net>
To: James Martin <eaglejfm@...il.com>
Cc: MustLive <mustlive@...security.com.ua>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Re: Vulnerability in CB Captcha for Joomla and Mambo

Define vulnerability here.  I don't think this is one.

Granted I have to apologize that my post was a very tongue in cheek 
snarky comment regarding the fact that Mr. MustLive appears to be 
posting up one by one of every web site that he finds with bad captcha 
implementation.  I was outting myself in advance because the captcha on 
my blog site lets spammers wiggle in.  But the spam clean up routine 
clears it out in a week so at most it's an annoyance to me not a 
vulnerability.  So I know I have this issue, but on my stack of risks to 
worry about, this not one that keeps me awake at night.

Is it of value to this list to be notified of every single web site out 
there that has such a captcha deployment?  How about we ask Mr. MustLive 
to post a recap once a month of these types of issues rather than each 
time he finds a site?

Is this of such a degree of impact to a system's information assurance 
that this audience has to be informed of each instance?
http://en.wikipedia.org/wiki/Vulnerability_(computing)

I have this "vulnerability" on my site.  I ignore it for now.  I have 
higher priority risks to deal with, this gets handled by the spam engine 
on the box.

My implied point is that I think we've already been informed that 
captcha has weakness and in general isn't an 100% effective gatekeeper. 



James Martin wrote:
> Dear Susan:
>
> Respectfully, why did you subscribe to Bugtraq?  I subscribed to be 
> notified when a vulnerability was found with software that I am using. 
> Just saying.
>
> Regards
>
>
>
> On Apr 15, 2010, at 2:11 PM, Susan Bradley <sbradcpa@...bell.net> wrote:
>
>> Dear Bugtraq.
>>
>> I am an admin of a site that has Captcha that spam gets through and 
>> the CPU sucks.
>>
>> Honest question -- are you going to post about every site that has 
>> lousy captcha?  Would it be faster if us admins that have lousy 
>> captcha just outted ourselves first?
>>
>> MustLive wrote:
>>> Hello Bugtraq!
>>>
>>> I want to warn you about security vulnerability in plugin CB Captcha
>>> (plug_cbcaptcha) for component Community Builder (com_comprofiler) for
>>> Joomla and Mambo. The posting of this advisory to mailing lists was 
>>> delayed,
>>> because I found that there are two different vulnerable versions of 
>>> plugin
>>> developed by different authors, so I needed to inform all authors.
>>>
>>> -----------------------------
>>> Advisory: Vulnerability in CB Captcha for Joomla and Mambo
>>> -----------------------------
>>> URL: http://websecurity.com.ua/4087/
>>> -----------------------------
>>> Affected products: CB Captcha 1.0.2 and previous versions (developed by
>>> Kotofeich), CB Captcha 2.2 and previous versions (developed by Beat).
>>> -----------------------------
>>> Timeline:
>>> 17.03.2010 - found vulnerability.
>>> 31.03.2010 - disclosed at my site.
>>> 01.04.2010 - informed developer of CB Captcha 1.x. And because I 
>>> found other
>>> version of the plugin by another author, and after checking it later I
>>> informed author of CB Captcha 2.x.
>>> 13.04.2010 - additionally informed developers of Community Builder 
>>> (both
>>> joomlapolis.com and communitybuilder.ru).
>>> -----------------------------
>>> Details:
>>>
>>> This is Insufficient Anti-automation vulnerability.
>>>
>>> This plugin is based on captcha script CaptchaSecurityImages.php and I
>>> already reported about vulnerabilities in CaptchaSecurityImages
>>> (http://websecurity.com.ua/4043/). And in plugin plug_cbcaptcha were 
>>> fixed
>>> all Insufficient Anti-automation and Denial of Service 
>>> vulnerabilities from
>>> original script, except one.
>>>
>>> Insufficient Anti-automation:
>>>
>>> In the plugin it's possible to bypass captcha with using of session 
>>> reusing
>>> with constant captcha bypass method 
>>> (http://websecurity.com.ua/1551/), which
>>> was described in project Month of Bugs in Captchas. With using of this
>>> method it's possible to bypass protection by sending the same code of
>>> captcha.
>>>
>>> It can be done at all pages where this plugin is used. In CB Captcha 
>>> 1.x
>>> it's using at registration page, lost password form and lost email 
>>> form. In
>>> CB Captcha 2.x, in addition to before-mentioned forms, it's using at 
>>> contact
>>> form (in the presence of component CB Contact 1.1) and login form 
>>> (in the
>>> presence of login module of CB 1.2).
>>>
>>> PoC:
>>>
>>> The PoC for this Insufficient Anti-automation vulnerability was 
>>> provided to
>>> developers. Everyone who want can create such PoC from exploit 
>>> provided in
>>> above-mentioned article from MoBiC project.
>>>
>>> Best wishes & regards,
>>> MustLive
>>> Administrator of Websecurity web site
>>> http://websecurity.com.ua
>>>
>>>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ