[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4D5D8795.4070304@gmail.com>
Date: Thu, 17 Feb 2011 21:39:49 +0100
From: Michele Orru <antisnatchor@...il.com>
To: "Zach C." <fxchip@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Vulnerability in reCAPTCHA for Drupal
If you thing that some statements from MustLive like the following:
"
Full path disclosure (WASC-13):
At POST request to the page with form with using of Cyrillic char in
parameter op, the error message is showing, which consists the full path on
the system.
Vulnerabilities exist at pages:http://site/user/,http://site/user/1/edit,
http://site/user/password,http://site/user/register,http://site/contact,
http://site/user/1/contact. Other pages which have forms also can be
vulnerable.
Exploit:
http://websecurity.com.ua/uploads/2011/Drupal%20Full%20path%20disclosure.html
As noted Drupal developers, these vulnerabilities appear due to turned on
debugging option in administrator panel. So for preventing of these and
other FPD at the site it's needed to turn off this option.
"
are not hilarious, then you're a really noob.
I mean, every Drupal user knows that the default path to register a new
user is user/register,
or that the default admin account is reachable at user/1, or that the
contact form is at the contact URI.
These are not vulnerabilities, and this is one of the many reasons why
almost no-one in FD
read his "advisories" and flag his address as spam :)
antisnatchor
> ------------------------------------------------------------------------
>
> Zach C. <mailto:fxchip@...il.com>
> February 17, 2011 7:29 PM
>
>
> Well, just playing devil's advocate here, mind you, I think much of
> the irritation from MustLive's postings comes from the following three
> reasons:
>
> 1.) MustLive is primarily a web-application specialist (for the sake
> of argument)
> 2.) The vulnerabilities he finds are of a class of vulnerabilities
> that are most common in his field. (Consider: someone searching for
> vulnerabilities in internet services directly and doing the binary
> analysis will primarily be finding buffer or stack overflows, right?
> In web security, XSS and SQL injection (as well as others I'm
> undoubtedly forgetting -- I am *NOT* counting "not using a CAPTCHA"
> here, see next item) are the most common vulnerabilities, given the
> lack of binary code to overwrite)
> 3.) Every so often he posts a vulnerability of questionable risk in
> the form of "anti-automation" which is essentially a fancy way of
> saying "ha ha they don't use CAPTCHA." I don't consider that a
> vulnerability so much as an opening for annoyance; I suppose your
> mileage may vary.
>
> My guess is that there's a thought that web apps are far easier to
> crack at than binaries, so vulnerabilities are easier to find,
> therefore don't waste time finding something that's "useless." That
> may be, in some cases, but sometimes a vulnerability in the web app
> destroys the entire chain, so to speak.
>
> Thoughts?
>
> -Zach
>
> (P.S. Still just playing devil's advocate; sometimes they get to annoy
> the crap out of me too.)
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> Eyeballing Weev <mailto:eyeballing.weev@...il.com>
> February 17, 2011 6:57 PM
>
>
> It's either he floods f-d with his "vulnerabilities" or he has to go out
> in the real world to farm dirt for export to the West.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> Zach C. <mailto:fxchip@...il.com>
> February 17, 2011 6:54 PM
>
>
> fucking *two days*? Is that even enough time for the vendor to
> acknowledge?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ------------------------------------------------------------------------
>
> MustLive <mailto:mustlive@...security.com.ua>
> February 17, 2011 6:18 PM
>
>
> Hello list!
>
> I want to warn you about Insufficient Anti-automation vulnerability in
> reCAPTCHA for Drupal.
>
> In project MoBiC in 2007 I already wrote about bypassing of reCaptcha for
> Drupal (http://websecurity.com.ua/1505/). This is new method of bypassing
> reCaptcha for Drupal.
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are all versions of reCAPTCHA plugin for Captcha module
> versions
> before 6.x-2.3 and 7.x-1.0.
>
> ----------
> Details:
> ----------
>
> Insufficient Anti-automation (WASC-21):
>
> In different forms in Drupal the vulnerable captcha-plugin reCAPTCHA is
> using. Drupal's Captcha module is vulnerable itself, so besides reCAPTCHA
> other captcha-plugins also can be vulnerable (at that this exploit is a
> little different from exploit for default Captcha module for Drupal).
>
> For bypassing of captcha it's needed to use correct value of
> captcha_sid, at
> that it's possible to not answer at captcha (captcha_response) or set any
> answer. This method of captcha bypass is described in my project Month of
> Bugs in Captchas (http://websecurity.com.ua/1498/). Attack is possible
> while
> this captcha_sid value is active.
>
> Vulnerabilities exist on pages with forms: http://site/contact,
> http://site/user/1/contact, http://site/user/password and
> http://site/user/register. Other forms where reCAPTCHA is using also
> will be
> vulnerable.
>
> Exploit:
>
> http://websecurity.com.ua/uploads/2011/Drupal%20reCAPTCHA%20bypass.html
>
> ------------
> Timeline:
> ------------
>
> 2010.12.11 - announced at my site.
> 2010.12.14 - informed reCAPTCHA developers.
> 2010.12.14 - informed Google (reCAPTCHA owner).
> 2011.02.16 - disclosed at my site.
>
> I mentioned about this vulnerability at my site
> (http://websecurity.com.ua/4752/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
Download attachment "compose-unknown-contact.jpg" of type "image/jpeg" (1421 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists