| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Feb 2011 21:30:37 +0200 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>, <bugtraq@...urityfocus.com> Subject: Brute Force and Abuse of Functionality vulnerabilities in Drupal Hello list! I want to warn you about Brute Force and Abuse of Functionality vulnerabilities in Drupal. ------------------------- Affected products: ------------------------- Vulnerable are Drupal 6.20 and previous versions. ---------- Details: ---------- Brute Force (WASC-11): In login form (http://site/user/) there is no reliable protection against brute force attacks. There is no captcha in Drupal itself, and existent Captcha module (http://websecurity.com.ua/4749/) is vulnerable (and also all plugins to it, such as reCAPTCHA (http://websecurity.com.ua/4752/). Abuse of Functionality (WASC-42): At contact page (http://site/contact) and at page for contact with user (http://site/user/1/contact) there is a possibility to send spam from the site to arbitrary e-mails via function "Send yourself a copy". And with using of Insufficient Anti-automation vulnerability it's possible to send spam from the site in automated manner on a large scale. The attack with using of this function is possible only for logged in users. For automated sending of spam it's needed to use before-mentioned Insufficient Anti-automation vulnerabilities - there is no captcha in Drupal itself, and existent captcha-module is vulnerable (and also all plugins to it, such as reCAPTCHA). About such Abuse of Functionality vulnerabilities I wrote in article Sending spam via sites and creating spam-botnets (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html). Abuse of Functionality (WASC-42): At request to specific pages of the site with setting login (http://site/users/user) it's possible to find existent logins of the users at site (i.e. to enumerate logins). If shows "Access denied" - then such login exists, and if "Page not found" - then no. At request to pages for contact with users (http://site/user/1/contact) login of the user shows (i.e. it's possible to enumerate logins). The attack is possible to conduct only for logged in users and it'll work only if attacked user turned on the option "Personal contact form" in his profile. ------------ Timeline: ------------ 2010.12.15 - announced at my site. 2010.12.16 - informed developers. 2011.02.17 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4763/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists