[<prev] [next>] [day] [month] [year] [list]
Message-ID: <002601cc6743$0b46c980$9b7a6fd5@ml>
Date: Tue, 30 Aug 2011 21:30:48 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerabilities in com_bookman for Joomla
Hello list!
I want to warn you about Insufficient Anti-automation and Denial of Service
vulnerabilities in com_bookman for Joomla. Also this component is included
in Reservation Manager for Joomla.
This is another one of few advisories which I've made in April 2010. In this
advisory I'm continue to inform readers of mailing lists about vulnerable
web applications which are using CaptchaSecurityImages.php.
-------------------------
Affected products:
-------------------------
Vulnerable are all versions of com_bookman and all versions of Reservation
Manager for Joomla.
I've already wrote last year the recommendations about fixing these issues
in another my advisory concerning vulnerable web application with
CaptchaSecurityImages.php. As I wrote earlier
(http://www.securityfocus.com/archive/1/511023), developers of
CaptchaSecurityImages.php fixed this hole at 27.03.2007. So one of the way
to fix these issues is to use fixed version of the script or to make
appropriate changes in com_bookman's version of the script.
----------
Details:
----------
These are Insufficient Anti-automation and Denial of Service
vulnerabilities.
The vulnerabilities exist in captcha script CaptchaSecurityImages.php, which
is using in this system. I already wrote at my site about vulnerabilities in
CaptchaSecurityImages (http://websecurity.com.ua/4043/).
Insufficient Anti-automation (WASC-21):
http://site/components/com_bookman/functions/CaptchaSecurityImages.php?width=150&height=100&characters=2
Captcha bypass is possible via half-automated or automated (with using of
OCR) methods, which were mentioned before (http://websecurity.com.ua/4043/).
DoS (WASC-10):
http://site/components/com_bookman/functions/CaptchaSecurityImages.php?width=1000&height=9000
With setting of large values of width and height it's possible to create
large load at the server.
------------
Timeline:
------------
2010.04.10 - disclosed at my site.
2010.04.11 - informed developers of com_bookman and Reservation Manager for
Joomla.
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4117/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists