lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <00bb01cbcfa2$85e107c0$c103fea9@ml>
Date: Fri, 18 Feb 2011 21:30:37 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
	<bugtraq@...urityfocus.com>
Subject: Brute Force and Abuse of Functionality
	vulnerabilities in Drupal

Hello list!

I want to warn you about Brute Force and Abuse of Functionality
vulnerabilities in Drupal.

-------------------------
Affected products:
-------------------------

Vulnerable are Drupal 6.20 and previous versions.

----------
Details:
----------

Brute Force (WASC-11):

In login form (http://site/user/) there is no reliable protection against
brute force attacks. There is no captcha in Drupal itself, and existent
Captcha module (http://websecurity.com.ua/4749/) is vulnerable (and also all
plugins to it, such as reCAPTCHA (http://websecurity.com.ua/4752/).

Abuse of Functionality (WASC-42):

At contact page (http://site/contact) and at page for contact with user
(http://site/user/1/contact) there is a possibility to send spam from the
site to arbitrary e-mails via function "Send yourself a copy". And with
using of Insufficient Anti-automation vulnerability it's possible to send
spam from the site in automated manner on a large scale. The attack with
using of this function is possible only for logged in users.

For automated sending of spam it's needed to use before-mentioned
Insufficient Anti-automation vulnerabilities - there is no captcha in Drupal
itself, and existent captcha-module is vulnerable (and also all plugins to
it, such as reCAPTCHA).

About such Abuse of Functionality vulnerabilities I wrote in article Sending
spam via sites and creating spam-botnets
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html).

Abuse of Functionality (WASC-42):

At request to specific pages of the site with setting login
(http://site/users/user) it's possible to find existent logins of the users
at site (i.e. to enumerate logins). If shows "Access denied" - then such
login exists, and if "Page not found" - then no.

At request to pages for contact with users (http://site/user/1/contact)
login of the user shows (i.e. it's possible to enumerate logins). The attack
is possible to conduct only for logged in users and it'll work only if
attacked user turned on the option "Personal contact form" in his profile.

------------
Timeline:
------------

2010.12.15 - announced at my site.
2010.12.16 - informed developers.
2011.02.17 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4763/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ