lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <008b01cc6a7b$5f0d98b0$9b7a6fd5@ml>
Date: Sat, 3 Sep 2011 23:49:31 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: "Ivan Carlos" <icarlos@...rlos.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Vulnerabilities in GlobalWoW

Hello Ivan!

I see you didn't read my last year's advisories about different vulnerable
applications with CaptchaSecurityImages.php. That time I gave many other
examples of web applications made for WoW. GlobalWoW is one from many such
webapps (and one of many vulnerable servers for WoW). E.g., there is a
Project MANGOS - free and open source World of Warcraft server. And there
are vulnerable webapps, such as MiniManager for Project MANGOS, Land of
Legends Manager, WoWCrackz MaNGOS and others, which I wrote about last year
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-April/074079.html).

I don't tell you how much it is legal or illegal. I'm not playing in World
of Warcraft and was not aware about existence of any non-official servers
(not from Blizzard), before in 2010 I started looking for other webapps with
this captcha script and found a lot of WoW servers among them. So question
about legality should go to the developers of them and to hosters (such as
Assembla and SourceForge), which host source codes of these servers.

> Reporting vulns on counterfeit applications is useless.

All applications deserve to have disclosures about vulnerabilities in
them - without exceptions. And in all cases with CaptchaSecurityImages.php I
was taking about free open source webapps which are publicly hosting in
Internet (and I also know about commercial webapps with this vulnerable
script). Concerning legality aspects should worry developers and hosters -
Assembla and SourceForge should know what they are hosting and if they host
such software for many years, then it looks like they consider it as legal.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Ivan Carlos" <icarlos@...rlos.net>
To: "MustLive" <mustlive@...security.com.ua>;
<submissions@...ketstormsecurity.org>; <full-disclosure@...ts.grok.org.uk>
Sent: Wednesday, August 31, 2011 11:59 PM
Subject: RE: [Full-disclosure] Vulnerabilities in GlobalWoW


> C'mon... isn't that (gaming non-licensed server over a patented
> application) illegal?
>
> Reporting vulns on counterfeit applications is useless.
>
> Ivan Carlos
> CISO, Consultant
> +55 (11) 8112-0666
> www.icarlos.net
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of MustLive
> Sent: quarta-feira, 31 de agosto de 2011 17:44
> To: submissions@...ketstormsecurity.org; full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] Vulnerabilities in GlobalWoW
>
> Hello list!
>
> I want to warn you about Insufficient Anti-automation and Denial of
> Service vulnerabilities in GlobalWoW. Also GlobalWow can be included in
> ArcEmu and WOW Emulator Server.
>
> This is the last of few advisories which I've made in April 2010. In this
> advisory I'm continue to inform readers of mailing lists about vulnerable
> web applications which are using CaptchaSecurityImages.php.
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are GlobalWow 3.0.9 and previous versions (and potentially next
> versions).
>
> Also the next products are affected: ArcEmu and WOW Emulator Server with
> which GlobalWow can be bundled.
>
> I've already wrote last year the recommendations about fixing these issues
> in another my advisory concerning vulnerable web application with
> CaptchaSecurityImages.php. As I wrote earlier
> (http://www.securityfocus.com/archive/1/511023), developers of
> CaptchaSecurityImages.php fixed this hole at 27.03.2007. So one of the way
> to fix these issues is to use fixed version of the script or to make
> appropriate changes in com_bookman's version of the script.
>
> ----------
> Details:
> ----------
>
> These are Insufficient Anti-automation and Denial of Service
> vulnerabilities.
>
> The vulnerabilities exist in captcha script CaptchaSecurityImages.php,
> which is using in this system. I already wrote at my site about
> vulnerabilities in CaptchaSecurityImages
> (http://websecurity.com.ua/4043/).
>
> Insufficient Anti-automation (WASC-21):
>
> http://site/acs/CaptchaSecurityImages.php?width=150&height=100&characters=2
>
> Captcha bypass is possible as via half-automated or automated (with using
> of
> OCR) methods, which were mentioned before
> (http://websecurity.com.ua/4043/),
> as with using of session reusing with constant captcha bypass method
> (http://websecurity.com.ua/1551/), which was described in project Month of
> Bugs in Captchas.
>
> DoS (WASC-10):
>
> http://site/acs/CaptchaSecurityImages.php?width=1000&height=9000
>
> With setting of large values of width and height it's possible to create
> large load at the server.
>
> ------------
> Timeline:
> ------------
>
> 2010.04.16 - disclosed at my site.
> 2010.04.17 - informed developers.
> 2010.04.18 - informed developers on another e-mail.
>
> I mentioned about these vulnerabilities at my site
> (http://websecurity.com.ua/4134/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ