| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 19 Apr 2010 18:29:25 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <full-disclosure@...ts.grok.org.uk> Subject: Fixing vulnerabilities in captcha-scripts mentioned in my last advisories Hello Full-Disclosure! Last Friday (16.04.2010) I wrote a letter to Bugtraq, when I was answering to letter of reader of the list, with my recommendations of fixing vulnerabilities in captcha-scripts mentioned in my last advisories. Which is related as to CB Captcha, as to all web applications which include CaptchaSecurityImages.php. Because my letter was still not published at Bugtraq, I decided to send it to Full-Disclosure mailing list, in case if it'll be useful for readers of the list (which is interested in fixing such holes in their captchas). The letter is provided bellow. P.S. When I'll find time, I'll answer at letters of those readers of the list who wrote me recently regarding vulnerabilities in CaptchaSecurityImages.php (so don't worry about that). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: "MustLive" To: "Matteo Valenza" Cc: <bugtraq@...urityfocus.com> Sent: Friday, April 16, 2010 11:33 PM Subject: Re: Vulnerability in CB Captcha for Joomla and Mambo Hello Matteo Valenza! > how can i solve this issue quickly ? There are the next solutions for you: 1. Wait until developers of CB Captcha released new fixed version of the plugin. They are examining this vulnerability for some time already (at least Beat, developer of CB Captcha 2.x, because from two authors only he answered me). But Beat told me, that they will be releasing the new fixed version not very quickly (due to their standardized bugfixing process), so users of CB Captcha will need to wait for new release. 2. Contact Beat and ask him when developers will be releasing new version of plugin and to hurry them. 3. Fix the hole manually. It's the most quickest solution and it's possible that you was asking exactly about it. To fix this vulnerability in CB Captcha you need to do, what I recommend to developers of the plugin - to use standard algorithm of fixing such captcha bypass method, which I called session reusing with constant captcha bypass method and described in details in my MoBiC project in 2007. And it concerns all captcha-programs which are using sessions. The algorithm of fixing this issue in CaptchaSecurityImages.php (and it's concerns to CB Captcha and to all those webapps with this captcha in my last advisories, where I mentioned that) was described by developers of CaptchaSecurityImages.php already at 27.03.2007 at their site (http://www.white-hat-web-design.co.uk/articles/php-captcha.php). For that you need to clear session variable "security_code" (or other name which is used in the code of specific webapp). Use unset($_SESSION['security_code']); in the code when you are processing the form. This solution can be used for all affected web applications mentioned by me in last advisories (that have this hole). But concerning CB Captcha if it works in Joomla 1.0 and Mambo, it doesn't work in Joomla 1.5, because it uses another method to work with sessions and for it another code must be used (for clearing of session). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: "Matteo Valenza" To: "Susan Bradley" Cc: "MustLive"; <bugtraq@...urityfocus.com> Sent: Friday, April 16, 2010 8:08 PM Subject: Re: Vulnerability in CB Captcha for Joomla and Mambo how can i solve this issue quickly ? Thanks. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists