lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7fe8024bfe4c54e15712083c1a131d8e@intern0t.net>
Date: Sun, 25 Mar 2012 18:09:36 -0400
From: InterN0T Advisories <advisories@...ern0t.net>
To: MustLive <mustlive@...security.com.ua>
Cc: full-disclosure@...ts.grok.org.uk, submissions@...ketstormsecurity.org
Subject: Re: Brute Force vulnerability in WordPress

Same type of vulnerabilities exist in 99,999...% of all web applications
including your website. Even if you can't bruteforce all the time, you can
adjust it with timing, and e.g., proxies, different user-agents, etc., and
then you have "Timed Bruteforce Attacks" which works on pretty much all
websites. Did you also mention this 5-10 years ago on your web site about
website security named websitesecurity.com.ua?

Also, when will you stop posting about: bruteforce/full path
disclosure/locking actual users out/and other low priority
"vulnerabilities" that exist in most web apps, and completely move on to
vulnerabilities that matters? Seriously, anyone can find these
"vulnerabilities" and the reason why anyone hasn't reported / disclosed /
complained about them is because they exist in most apps and doesn't
compromise the security of the end-user nor the website.

Will the next thing you disclose be about bruteforcing SSH because it by
default doesn't lock users out? It's been like this for +10 or +20 years. 


What I find funny is that either you: 
A) Say a web app has a vulnerability because it doesn't lock the
"offending" user out because of too many password tries, OR
B) Say a web app has a vulnerability because it does lock out the
offending user because of too many password tries.

It's almost a contradiction and an endless evil circle. You can't have
both, ever.


No offense intended of course.



Best regards,
MaXe

On Sun, 25 Mar 2012 23:45:33 +0300, "MustLive"
<mustlive@...security.com.ua> wrote:
> Hello list!
> 
> There are many vulnerabilities in WordPress which exist from version
2.0,
> or even from 1.x versions, and still not fixed. So I want to warn you
about
> one of such holes. It's Brute Force vulnerability via XML-RPC
functionality
> in WordPress.
> 
> -------------------------
> Affected products:
> -------------------------
> 
> Vulnerable are WordPress 3.3.1 and previous versions.
> 
> ----------
> Details:
> ----------
> 
> Brute Force (WASC-11):
> 
> http://site/xmlrpc.php
> 
> In this functionality there is no protection against Brute Force attack.
At
> sending of corresponding POST-requests it's possible to pick up
password.
> 
> Note, that since WordPress 2.6 the XML-RPC functionality is turned off
by
> default. WP developers did it due to vulnerabilities (such as SQL
Injection
> and others), which were found in this functionality, i.e. not motivating
it
> as counteraction to Brute Force, but it worked also as protection
against
> Brute Force attack.
> 
> So this issue doesn't concern those who uses WordPress since version 2.6
> with default settings. But those who needs to use XML-RPC, those will
have
> Brute Force vulnerability, because the developers didn't make reliable
> protection against it.
> 
> Earlier in 2008 and 2010 years I've already wrote about Brute Force
> vulnerabilities in WordPress (http://websecurity.com.ua/2007/ and
> http://websecurity.com.ua/4016/ SecurityVulns ID: 10677) and it's
another
> such vulnerability. Besides them there is also known BF attack not via
> login
> form, but with using of authorization cookie (when by setting different
> cookies it's possible to pick up password).
> 
> ------------
> Timeline:
> ------------
> 
> 2012.03.20 - disclosed at my site.
> 
> I mentioned about this vulnerability at my site
> (http://websecurity.com.ua/5723/).
> 
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ