lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 31 Dec 2012 15:55:46 +0200
From: Julius Kivimäki <>
Subject: BF, CSRF,
	and IAA vulnerabilities in

Hello list!

I want to warn you about multiple extremely severe vulnerabilities in

These are Brute Force and Insufficient Anti-automation vulnerabilities in These vulnerability is very serious and could affect
million of people.

Affected products:

Vulnerable are all versions of


Brute Force (WASC-11):

In ftp server ( there is no protection from Brute

Cross-Site Request Forgery (WASC-09):

Lack of captcha in login form ( can be used
different attacks - for CSRF-attack to login into account (remote login - to
conduct attacks on vulnerabilities inside of account), for automated
entering into account, for phishing and other automated attacks. Which you
can read about in the article "Attacks on unprotected login forms"

Insufficient Anti-automation (WASC-21):

In login form there is no protection against automated request, which allow
to picking up logins in automated way by attacking on login function.

2012.06.28 - announced at my site about
2012.06.28 - informed developers about the first part of vulnerabilities in
2012.06.30 - informed developers about the second part of vulnerabilities in
2012.07.26 - announced at my site about
2012.07.28 - informed developers about vulnerabilities in
and reminded about previous two letters I had sent to them with carrier
2012.07.28-2012.10.31 - multiple attempts to contact the owners of
were ignored by the owners.
2012.11.02 - developers responded "fuck off and kill urself irl!".
2012.12.31 - disclosed on the list

Best wishes & regards,
Security master extraordinaire, master sysadmin

Content of type "text/html" skipped

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists