[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <008101cadda4$351787b0$010000c0@ml>
Date: Fri, 16 Apr 2010 23:33:04 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: "Matteo Valenza" <ilmetu@...il.com>
Cc: <bugtraq@...urityfocus.com>
Subject: Re: Vulnerability in CB Captcha for Joomla and Mambo
Hello Matteo Valenza!
> how can i solve this issue quickly ?
There are the next solutions for you:
1. Wait until developers of CB Captcha released new fixed version of the
plugin. They are examining this vulnerability for some time already (at
least Beat, developer of CB Captcha 2.x, because from two authors only he
answered me). But Beat told me, that they will be releasing the new fixed
version not very quickly (due to their standardized bugfixing process), so
users of CB Captcha will need to wait for new release.
2. Contact Beat and ask him when developers will be releasing new version of
plugin and to hurry them.
3. Fix the hole manually. It's the most quickest solution and it's possible
that you was asking exactly about it.
To fix this vulnerability in CB Captcha you need to do, what I recommend to
developers of the plugin - to use standard algorithm of fixing such captcha
bypass method, which I called session reusing with constant captcha bypass
method and described in details in my MoBiC project in 2007. And it concerns
all captcha-programs which are using sessions.
The algorithm of fixing this issue in CaptchaSecurityImages.php (and it's
concerns to CB Captcha and to all those webapps with this captcha in my last
advisories, where I mentioned that) was described by developers of
CaptchaSecurityImages.php already at 27.03.2007 at their site
(http://www.white-hat-web-design.co.uk/articles/php-captcha.php). For that
you need to clear session variable "security_code" (or other name which is
used in the code of specific webapp). Use unset($_SESSION['security_code']);
in the code when you are processing the form.
This solution can be used for all affected web applications mentioned by me
in last advisories (that have this hole). But concerning CB Captcha if it
works in Joomla 1.0 and Mambo, it doesn't work in Joomla 1.5, because it
uses another method to work with sessions and for it another code must be
used (for clearing of session).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
From: "Matteo Valenza" <ilmetu@...il.com>
To: "Susan Bradley" <sbradcpa@...bell.net>
Cc: "MustLive" <mustlive@...security.com.ua>; <bugtraq@...urityfocus.com>
Sent: Friday, April 16, 2010 8:08 PM
Subject: Re: Vulnerability in CB Captcha for Joomla and Mambo
how can i solve this issue quickly ?
Thanks.
Il giorno 15/apr/2010, alle ore 21.11, Susan Bradley ha scritto:
> Dear Bugtraq.
>
> I am an admin of a site that has Captcha that spam gets through and the
> CPU sucks.
>
> Honest question -- are you going to post about every site that has lousy
> captcha? Would it be faster if us admins that have lousy captcha just
> outted ourselves first?
>
> MustLive wrote:
>> Hello Bugtraq!
>>
>> I want to warn you about security vulnerability in plugin CB Captcha
>> (plug_cbcaptcha) for component Community Builder (com_comprofiler) for
>> Joomla and Mambo. The posting of this advisory to mailing lists was
>> delayed,
>> because I found that there are two different vulnerable versions of
>> plugin
>> developed by different authors, so I needed to inform all authors.
>>
>> -----------------------------
>> Advisory: Vulnerability in CB Captcha for Joomla and Mambo
>> -----------------------------
>> URL: http://websecurity.com.ua/4087/
>> -----------------------------
>> Affected products: CB Captcha 1.0.2 and previous versions (developed by
>> Kotofeich), CB Captcha 2.2 and previous versions (developed by Beat).
>> -----------------------------
>> Timeline:
>> 17.03.2010 - found vulnerability.
>> 31.03.2010 - disclosed at my site.
>> 01.04.2010 - informed developer of CB Captcha 1.x. And because I found
>> other
>> version of the plugin by another author, and after checking it later I
>> informed author of CB Captcha 2.x.
>> 13.04.2010 - additionally informed developers of Community Builder (both
>> joomlapolis.com and communitybuilder.ru).
>> -----------------------------
>> Details:
>>
>> This is Insufficient Anti-automation vulnerability.
>>
>> This plugin is based on captcha script CaptchaSecurityImages.php and I
>> already reported about vulnerabilities in CaptchaSecurityImages
>> (http://websecurity.com.ua/4043/). And in plugin plug_cbcaptcha were
>> fixed
>> all Insufficient Anti-automation and Denial of Service vulnerabilities
>> from
>> original script, except one.
>>
>> Insufficient Anti-automation:
>>
>> In the plugin it's possible to bypass captcha with using of session
>> reusing
>> with constant captcha bypass method (http://websecurity.com.ua/1551/),
>> which
>> was described in project Month of Bugs in Captchas. With using of this
>> method it's possible to bypass protection by sending the same code of
>> captcha.
>>
>> It can be done at all pages where this plugin is used. In CB Captcha 1.x
>> it's using at registration page, lost password form and lost email form.
>> In
>> CB Captcha 2.x, in addition to before-mentioned forms, it's using at
>> contact
>> form (in the presence of component CB Contact 1.1) and login form (in the
>> presence of login module of CB 1.2).
>>
>> PoC:
>>
>> The PoC for this Insufficient Anti-automation vulnerability was provided
>> to
>> developers. Everyone who want can create such PoC from exploit provided
>> in
>> above-mentioned article from MoBiC project.
>>
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>> http://websecurity.com.ua
Powered by blists - more mailing lists