lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4D5ECC6A.7080501@madirish.net>
Date: Fri, 18 Feb 2011 14:45:46 -0500
From: Justin Klein Keane <justin@...irish.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Brute Force and Abuse of
 Functionality	vulnerabilities in Drupal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MustLive:  you're a little late to this party, see
http://www.madirish.net/?article=443, published Dec 2009.  The other
issues you mention may already be disclosed.  The Drupal Login Security
module (http://drupal.org/project/login_security) is an effective
mitigation for some of these problems.  Do you do any research before
you publish these advisories?

Justin Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed using
the public key at http://www.madirish.net/gpgkey

On 02/18/2011 02:30 PM, MustLive wrote:
> Hello list!
> 
> I want to warn you about Brute Force and Abuse of Functionality
> vulnerabilities in Drupal.
> 
> -------------------------
> Affected products:
> -------------------------
> 
> Vulnerable are Drupal 6.20 and previous versions.
> 
> ----------
> Details:
> ----------
> 
> Brute Force (WASC-11):
> 
> In login form (http://site/user/) there is no reliable protection against
> brute force attacks. There is no captcha in Drupal itself, and existent
> Captcha module (http://websecurity.com.ua/4749/) is vulnerable (and also all
> plugins to it, such as reCAPTCHA (http://websecurity.com.ua/4752/).
> 
> Abuse of Functionality (WASC-42):
> 
> At contact page (http://site/contact) and at page for contact with user
> (http://site/user/1/contact) there is a possibility to send spam from the
> site to arbitrary e-mails via function "Send yourself a copy". And with
> using of Insufficient Anti-automation vulnerability it's possible to send
> spam from the site in automated manner on a large scale. The attack with
> using of this function is possible only for logged in users.
> 
> For automated sending of spam it's needed to use before-mentioned
> Insufficient Anti-automation vulnerabilities - there is no captcha in Drupal
> itself, and existent captcha-module is vulnerable (and also all plugins to
> it, such as reCAPTCHA).
> 
> About such Abuse of Functionality vulnerabilities I wrote in article Sending
> spam via sites and creating spam-botnets
> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html).
> 
> Abuse of Functionality (WASC-42):
> 
> At request to specific pages of the site with setting login
> (http://site/users/user) it's possible to find existent logins of the users
> at site (i.e. to enumerate logins). If shows "Access denied" - then such
> login exists, and if "Page not found" - then no.
> 
> At request to pages for contact with users (http://site/user/1/contact)
> login of the user shows (i.e. it's possible to enumerate logins). The attack
> is possible to conduct only for logged in users and it'll work only if
> attacked user turned on the option "Personal contact form" in his profile.
> 
> ------------
> Timeline:
> ------------
> 
> 2010.12.15 - announced at my site.
> 2010.12.16 - informed developers.
> 2011.02.17 - disclosed at my site.
> 
> I mentioned about these vulnerabilities at my site
> (http://websecurity.com.ua/4763/).
> 
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAk1ezF8ACgkQkSlsbLsN1gA3KAb9GAwPgHQPFrmPSam+i9/BDIm0
jiR7Yxx0A9ubv3xvQAyz+cVIvcXEXVE040PirkpcnC6lY4ZXWCdvzUiYVrkarlJC
y6CZ8WVw8xsnjxZb382wHUE00SQF4rylAv4OP0WYDDUqjdEPA+CLxKfaO/LtrmIB
b3QNPEkJhrxNnW6nHc+JeqAG6Ukz+0zpKen+Wi1IPaOR1XGMaiak7IjSdN91u/XV
MHlOKyOr1NLEOMze2+rH8PexbrWAXuWyj74F+2lVOeiiD95ZY3CpnIVKJGb6G79h
EuSuV/+JZ/Idj7pWIO4=
=pZNB
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ