lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 16 Apr 2010 01:29:31 +0100
From: Benji <me@...ji.com>
To: MustLive <mustlive@...security.com.ua>
Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu,
	Jeff Kell <Jeff-Kell@....edu>
Subject: Re: Vulnerabilities in phpCOIN

tl;dr you're all supposedly wrong

On Thu, Apr 15, 2010 at 9:55 PM, MustLive <mustlive@...security.com.ua>wrote:

> Hello Jan, Valdis, Christian and Jeff!
>
> I'll answer at all your letters in one message. Even if I already banned
> Jan
> and he put my email to his blacklist, it's possible that he will read it in
> the list.
>
> First, it's good that my advisory about vulnerabilities in phpCOIN (and
> also
> many previous advisories concerning with CaptchaSecurityImages.php) gave
> you
> occasion for the discussion. But for me it's strange, because my message to
> the list was designed only for informing purposes.
>
> Second, last week I answered at one letter with questions concerning these
> vulnerabilities in CaptchaSecurityImages.php and webapps with it
> (http://www.securityfocus.com/archive/1/510625/30/0/threaded). And I
> recommend to look at it for everyone who decided to ask me any question on
> this subject (because in that letter I have answered at many questions).
>
> > Quoting the list charter: "Gratuitous advertisement, product
> > placement, or self-promotion is forbidden."
>
> And from what do you see, that I'm doing any advertising, product placement
> or promoting? Jan, if you do such things, than don't need to think, that
> other people do them. If you are mercantile human, than don't need to think
> that other are the same. Never judge about other people by yourself.
>
> For more than five years, when I'm working in webappsec and informing
> admins
> of web sites and web developers all over the world about holes at theirs
> site (web apps), I only spending my own time to help people (mostly in
> other
> fields I do the same). And 99% of my work in webappsec field for this time
> was free and gratuitous. So any lame statements concerning mercantilism
> into
> my address is not serious.
>
> And also tell me, please, do you moderator of the list? You don't, so why
> you're blaming me for breaking list charter? There is a moderator, so he
> must do it (and let him to do his work). All my letters to the list is
> first
> approved by moderator (for all time while I posting to the list from
> September 2009) - so if he finds my messages appropriate, then there must
> be
> no questions (especially lame ones).
>
> Besides, for many years I saw many times a direct advertising in security
> advisories (of different security software, services and companies). And
> this advert can't influence on me, because I can distinguish advert from
> other text in advisories. And I have never seen any Jan's blaming about
> many
> of such cases of advertising in security lists. So it's already double
> standards (which is not good).
>
> > And where's the point in reporting several projects that use a -say-
> > library which has a reported problem?
>
> I have already answered at this question into Bugtraq (see above-mentioned
> link). Here is a quote:
>
> Because developers of CaptchaSecurityImages already fixed most of the holes
> in their script in 2007 and still many developers around the world are
> using
> vulnerable version of the script or "develop" holes (by ignoring
> developer's
> recommendations), I decided to inform those web developers also and to
> write
> additional advisories. Not inform every site owner with this
> CaptchaSecurityImages.php (there are too many of them), but inform all web
> developers who use this script. It's only way to draw their attention to
> these issues.
>
> Your non-acceptance of advisories about different applications with holes
> in
> the same script (library) is incorrect and there is also double standards.
> And latter in this letter I'll write additionally about this.
>
> > (I mean, you've send quite the same mail with a different software to
> > bugtraq, today.)
>
> Man, I post the same message at the same time to Bugtraq and to
> Full-Disclosure (and those who decided to publish it, it'll do it). I
> decided to post to both lists, because in 2009 I found few times some not
> serious behavior of Bugtraq's moderator (and then in September 2009 I
> started posting to this list). If you found other software with holes in
> CaptchaSecurityImages.php in Bugtraq in that day, it's just because
> Bugtraq's moderator only that day approved my letter.
>
> > The whole point of your "advisories" is self promotion and promotion
> > of your website.
>
> I already answered above on your not serious blaming. If you look at any
> link and see promotion in it, then it's your problem. And because you have
> never blame other advisories "for links" (especially advertising links,
> which I mentioned above), only wrote about my advisories, then it's double
> standards.
>
> > A few years ago, a rather nasty vulnerability was found in the zlib
> > compression library.
>
> Thanks, Valdis, for your example.
>
> For many years I saw a lot of such cases in security mailing lists, where
> there were a lot of different advisories about the same holes in different
> applications.
>
> Among an examples of such vulnerabilities in different applications (web
> and
> desktop) I'll give the next: different developers of Linux distributives,
> which all the time release separate advisories about holes in all
> applications (made by different developers) which they include in bundle,
> last case with Flash 6 in Windows XP, different open source projects, e.g.
> PHP (which used external libraries), and also projects which use PCRE, curl
> and other popular libraries, and web apps which includes other web apps
> (and
> libraries), similarly to case with CaptchaSecurityImages.php. I see such
> cases all the time in mailing lists and I have never seen not Jan's, nor
> any
> other's blaming on such advisories.
>
> So what's Jan's problem (and all others who moaning about these
> CaptchaSecurityImages.php related issues)? The problem concerning
> advisories about similar issues in different software is the same as
> mentioned above - it's double standards (which is not good).
>
> > It isn't *just* Apple, it's Linux, Microsoft and just about any other
> > company.
>
> Christian, you are right. A lot of software, both open source and closed
> source, consist from a lot of additional programs (or libraries) and it's
> very widespread that software put a lot of others apps in a bundle.
> Sometimes even doing it hiddenly, and it's not about adware and other
> spyware, but about legal applications.
>
> And my last researches, such as about XSS vulnerabilities in 34 millions
> flash files (in one single swf-file which is widespread all over the Web)
> and about CaptchaSecurityImages.php and webapps which are using it, show
> that particularly in open source vulnerable (web) applications can
> widespread very much.
>
> > various "hitch hiker" applications... toolbars, trial software, etc.
>
> Jeff, I'm agree with you. With every year the amount of "bundled" software
> (which come with other application) is growing. And all of these apps, both
> "main" and "bundled" ones, can have their own holes (so with every
> additional "bonus" program the overall security of the system is
> decreasing). So everyone must take care of "additional apps", both web and
> desktop (such as toolbars), and install only what they really want.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message -----
> From: "Jan G.B." <ro0ot.w00t@...glemail.com>
> To: "MustLive" <mustlive@...security.com.ua>
> Cc: <full-disclosure@...ts.grok.org.uk>
> Sent: Friday, April 09, 2010 4:49 PM
> Subject: Re: [Full-disclosure] Vulnerabilities in phpCOIN
>
>
> > 2010/4/9 MustLive <mustlive@...security.com.ua>:
> >> Hello Full-Disclosure!
> >>
> >
> > Quoting the list charter: "Gratuitous advertisement, product
> > placement, or self-promotion is forbidden."
> >
> > And where's the point in reporting several projects that use a -say-
> > library which has a reported problem? (I mean, you've send quite the
> > same mail with a different software to bugtraq, today.)
> >
> > The whole point of your "advisories" is self promotion and promotion
> > of your website.
> >
> >
> >
> >
> >
> >> I want to warn you about security vulnerabilities in system phpCOIN.
> >>
> >> -----------------------------
> >> Advisory: Vulnerabilities in phpCOIN
> >> -----------------------------
> >> URL: http://websecurity.com.ua/4090/
> >> -----------------------------
> >> Affected products: phpCOIN 1.6.5 and previous versions.
> >> -----------------------------
> >> Timeline:
> >> 17.03.2010 - found vulnerabilities.
> >> 01.04.2010 - disclosed at my site.
> >> 02.04.2010 - informed developers.
> >> -----------------------------
> >> Details:
> >>
> >> These are Insufficient Anti-automation and Denial of Service
> >> vulnerabilities.
> >>
> >> The vulnerabilities exist in captcha script CaptchaSecurityImages.php,
> >> which
> >> is using in this system. I already reported about vulnerabilities in
> >> CaptchaSecurityImages (http://websecurity.com.ua/4043/).
> >>
> >> Insufficient Anti-automation:
> >>
> >>
> http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=150&height=100&characters=2
> >>
> >> Captcha bypass is possible via half-automated or automated (with using
> of
> >> OCR) methods, which were mentioned before
> >> (http://websecurity.com.ua/4043/).
> >>
> >> DoS:
> >>
> >>
> http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=1000&height=9000
> >>
> >> With setting of large values of width and height it's possible to create
> >> large load at the server.
> >>
> >> Best wishes & regards,
> >> MustLive
> >> Administrator of Websecurity web site
> >> http://websecurity.com.ua
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ