lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <00a501cadc8e$52d30bb0$010000c0@ml>
Date: Thu, 15 Apr 2010 14:24:56 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerability in CB Captcha for Joomla and Mambo

Hello Full-Disclosure!

I want to warn you about security vulnerability in plugin CB Captcha
(plug_cbcaptcha) for component Community Builder (com_comprofiler) for
Joomla and Mambo. The posting of this advisory to mailing lists was delayed,
because I found that there are two different vulnerable versions of plugin
developed by different authors, so I needed to inform all authors.

-----------------------------
Advisory: Vulnerability in CB Captcha for Joomla and Mambo
-----------------------------
URL: http://websecurity.com.ua/4087/
-----------------------------
Affected products: CB Captcha 1.0.2 and previous versions (developed by
Kotofeich), CB Captcha 2.2 and previous versions (developed by Beat).
-----------------------------
Timeline:
17.03.2010 - found vulnerability.
31.03.2010 - disclosed at my site.
01.04.2010 - informed developer of CB Captcha 1.x. And because I found other
version of the plugin by another author, and after checking it later I
informed author of CB Captcha 2.x.
13.04.2010 - additionally informed developers of Community Builder (both
joomlapolis.com and communitybuilder.ru).
-----------------------------
Details:

This is Insufficient Anti-automation vulnerability.

This plugin is based on captcha script CaptchaSecurityImages.php and I
already reported about vulnerabilities in CaptchaSecurityImages
(http://websecurity.com.ua/4043/). And in plugin plug_cbcaptcha were fixed
all Insufficient Anti-automation and Denial of Service vulnerabilities from
original script, except one.

Insufficient Anti-automation:

In the plugin it's possible to bypass captcha with using of session reusing
with constant captcha bypass method (http://websecurity.com.ua/1551/), which
was described in project Month of Bugs in Captchas. With using of this
method it's possible to bypass protection by sending the same code of
captcha.

It can be done at all pages where this plugin is used. In CB Captcha 1.x
it's using at registration page, lost password form and lost email form. In
CB Captcha 2.x, in addition to before-mentioned forms, it's using at contact
form (in the presence of component CB Contact 1.1) and login form (in the
presence of login module of CB 1.2).

PoC:

The PoC for this Insufficient Anti-automation vulnerability was provided to
developers. Everyone who want can create such PoC from exploit provided in
above-mentioned article from MoBiC project.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ