| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <013101cc6e52$49cc4840$9b7a6fd5@ml> Date: Thu, 8 Sep 2011 21:07:38 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: Security bypass vulnerability in MyBB Hello list! I want to warn you about security bypass vulnerability in MyBB, which allows to bypass protection against Brute Force and conduct Brute Force attacks. In August in my article Bypassing captchas and blocking at web sites (http://websecurity.com.ua/5334/) I wrote about vulnerability in MyBB - as an example of such attacks (because it was good example for the article). Which I'll described briefly in this advisory. In April I've disclosed Brute Force vulnerability in MyBB (http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080408.html), where it's was possible to bypass captcha in login form by using of session reusing with constant captcha bypass method. The developers ignored to fix this and other vulnerabilities (in released MyBB 1.6.3). For this reason, I've not wasted my time to inform the developers about new BF vulnerability in their software. In any case I've already mentioned about such protection mechanisms and their bypass last year in publications at my site, including in my article (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-August/007003.html). ------------------------- Affected products: ------------------------- Vulnerable are all versions of MyBB (MyBB 1.6.4 and previous versions), when non-captcha method of protection against Brute Force attacks is used at forum. Concerning bypassing captcha in login form I've already wrote in above-mentioned advisory about MyBB. ---------- Details: ---------- Brute Force (WASC-11): As I found in August, developers set by default other protection method in new versions MyBB 1.6.3 and 1.6.4 (which also exists in previous versions of engine and is using at most forums on MyBB). This method uses limit of login attempts instead of captcha, but this protection can be easily bypassed by using of my method described in the article. If to not receive cookies (or delete or null cookie loginattempts), then the number of login attempts will be unlimited. And any blockings will fail. And if it has already worked, then it's just needed to delete or null this cookie to remove blocking. This situation has place on most forums on MyBB, but there are such forums on such versions of engine, which hold counter of login attempts not in cookie loginattempts, but in session. Then for bypassing of protection it's just needed to delete cookie sid. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists