| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 23 Apr 2011 12:32:56 -0700 From: Andrew Farmer <andfarm@...il.com> To: MustLive <mustlive@...security.com.ua> Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: Multiple vulnerabilities in MyBB On 2011-04-22, at 09:21, MustLive wrote: > Information Leakage (WASC-13): > > Logins are names of the users at the forum (and so it's possible to reveal > logins at forum's pages). You're kidding, right? Revealing the names of forum users is practically core functionality. There's no expectation whatsoever that they be kept secret - they're displayed all over the site, and a member list (giving you the ability to download ALL USER NAMES ON THE FORUM OMG) is enabled by default. > Insufficient Anti-automation (WASC-21): > > http://site/member.php?action=activate&uid=1 > > http://site/member.php?action=lostpw > > These functionalities have no protection from automated attacks (captcha). The first one requires an activation code sent by email. I suppose you could *try* to brute-force it, but you'd probably have better luck brute-forcing the password on the email address you sent the activation to. The second one... well, I suppose you could use it to try to determine whether email addresses belong to anyone on the forum, or send annoying password reset emails, but adding a CAPTCHA wouldn't really change that much. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists