lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4BC57A83.3040105@acunetix.com>
Date: Wed, 14 Apr 2010 11:19:15 +0300
From: Bogdan Calin <bogdan@...netix.com>
To: Kaddeh <kaddeh@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, MustLive <mustlive@...security.com.ua>
Subject: Re: Insufficient Anti-automation and Denial of
 Service vulnerabilities in multiple systems

Can we all please ignore MustLive? There is a good chance that he will
go away if nobody responds to his "advisories".

Thanks!

Kaddeh wrote:
> First off, I am curious how many of the developers responded to your
> notification to them about these vulnerabilities.
> Secondly, just a thought, if you are testing a piece of obscure software, at
> least try and link to their site/repo or whatever.
> Third, if all of these CMS vulns that you are finding are true, I am
> assuming that they are possible, why are you testing CMS software that was
> last updated 2 years ago like HoloCMS (at least, without proper links to
> home pages, I can't tell short of doing a Google search).
> Additionally, I would assume that you tested these on a machine that you
> yourself have, specs of this machine would be nice, I know that I have seen
> several vulns come through that can be reproduced, but you have to have a
> very select configuration (ie, document.write "bugs" that only fail on
> 32-bit, VM issues with VT-x on 32-bit, etc)
> 
> Cheers
> 
> Kad
> 
> On Mon, Apr 12, 2010 at 1:42 PM, MustLive <mustlive@...security.com.ua>wrote:
> 
>> Hello Full-Disclosure!
>>
>> I want to warn you about Insufficient Anti-automation and Denial of Service
>> vulnerabilities in multiple systems.
>>
>> It's additional information to my advisories about MiniManager for Project
>> MANGOS and HoloCMS.
>>
>> I have reported already about Insufficient Anti-automation and Denial of
>> Service vulnerabilities in CaptchaSecurityImages and in many systems which
>> are using script CaptchaSecurityImages.php. And about vulnerabilities in
>> some other systems (which already disclosed at my site) I'll write to the
>> list soon, when the queue will come to them.
>>
>> As I mentioned before, there are many vulnerable web sites and web
>> applications with CaptchaSecurityImages.php. And as you
>> can see from all my advisories on this subject, there are really many
>> vulnerable CMS with it. But it's just only those which I found in one
>> Google dork, and there can be a lot of other systems which are using the
>> same vulnerable CaptchaSecurityImages.php. E.g. those which not indexed by
>> Google, open source systems which have no online SVN, commercial systems
>> (as
>> open source, as closed source which decided to use this GPL script) and
>> those systems, which changed filename of CaptchaSecurityImages.php.
>>
>> So I made additional research on vulnerable systems previously reported by
>> me, and found many projects which are also affected. Here is a list of them
>> as an addition to my two previous advisories. I already combined
>> information
>> about vulnerabilities in GunCMS and PhoenixCMS PHP Edition into one
>> advisory, and in this advisory I'm using the same approach. Where I combine
>> multiple vulnerable systems into one advisory not by just using of the same
>> script, but when they use codes of other systems.
>>
>> Concerning vulnerabilities in MiniManager for Project MANGOS
>> (http://websecurity.com.ua/4061/):
>>
>> - Land of Legends Manager (LoL Manager) based on MiniManager for Project
>> MANGOS (there is mentioning of CaptchaSecurityImages.php in code of the
>> system, but in SVN there is no the file itself).
>> - WoWCrackz MaNGOS based on MiniManager for Project MANGOS (only the path
>> to
>> CaptchaSecurityImages.php is different).
>>
>> Resulting list of affected software:
>>
>> Affected products: MiniManager for Project MANGOS 0.15 and previous
>> versions, Land of Legends Manager, WoWCrackz MaNGOS.
>>
>> Concerning vulnerabilities in HoloCMS (http://websecurity.com.ua/4068/)
>> and
>> in addition to GunCMS and PhoenixCMS PHP Edition
>> (http://websecurity.com.ua/4075/):
>>
>> - Baboh Emulator includes HoloCMS.
>> - CoreCMS based on HoloCMS.
>> - Holograph Emulator can include HoloCMS.
>> - Holograph Emulator - Craigs Edition includes CoreCMS.
>> - 0niCMS based on HoloCMS.
>> - AJ-CMS it's new version of HoloCMS.
>> - HoloCMS v3.2.0 Synergy it's new version of HoloCMS.
>> - HoloCMSrW it's other version of HoloCMS.
>> - Mir it's new version of HoloCMS.
>> - Alexx Hotel includes HoloCMS.
>>
>> In most cases (except few ones) I have not succeed in viewing source codes
>> of these CMS and in checking of existence in them of vulnerabilities from
>> HoloCMS (due to lack of such codes in online SVN). But taking into account
>> that all these projects use old vulnerable code of HoloCMS, then with no
>> doubts they all are vulnerable.
>>
>> Resulting list of affected software:
>>
>> Affected products: HoloCMS 1.3.1, 3.1 and previous versions, GunCMS,
>> PhoenixCMS PHP Edition, Baboh Emulator, CoreCMS, Holograph Emulator,
>> Holograph Emulator - Craigs Edition, 0niCMS, AJ-CMS, HoloCMS v3.2.0
>> Synergy,
>> HoloCMSrW, Mir, Alexx Hotel.
>>
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>> http://websecurity.com.ua
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-- 
Bogdan Calin - bogdan@...netix.com
CTO
Acunetix Ltd. - http://www.acunetix.com
Acunetix Web Security Blog - http://www.acunetix.com/blog

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ