lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4D5E7F21.4000801@ntlworld.com>
Date: Fri, 18 Feb 2011 14:16:01 +0000
From: Jacqui Caren-home <jacqui.caren@...world.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [AntiSnatchOr] Drupal <= 6.20
 insecure	Captcha defaults PoC

On 15/02/2011 16:55, Michele Orru wrote:
> 2011/2/14 MustLive<mustlive@...security.com.ua>:
>> Hello Michele!
>>
>> Few days ago I saw your advisory about Drupal's captcha. It's interesting
>> advisory, but I have one note concerning it - your research is very close to
>> mine ;-) (it concerns similar holes which I found before you).
>
> I didn't found anything in FD or other public lists mentioning
> this issue before, so.... :)

Its not just Drupal - a number of captcha systems are open to attacks of this form.
For instance hotfile.com is randomly open, allowing downloads of multiple files because
of capcha "cookie replay".

I have seen this - by accident I should point out - on a number of (commercial) sites where
captcha is employed for login or download sanity checks.

The most recent system to be borked during upgrade was http://www.nextgenserver.com/calculator/

Jacqui

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ