| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 17 Nov 2013 23:51:58 +0200 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: BF, LE and IAA vulnerabilities in InstantCMS Hello list! In addition to multiple vulnerabilities in InstantCMS, which I've disclosed earlier, here are new ones. These are Brute Force, Login Enumeration and Insufficient Anti-automation vulnerabilities in InstantCMS. ------------------------- Affected products: ------------------------- Vulnerable are InstantCMS 1.10.3 and previous versions. ------------------------- Affected vendors: ------------------------- InstantSoft http://www.instantcms.ru ---------- Details: ---------- Brute Force (WASC-11): In login form there is no protection from Brute Force attacks. http://site/admin/login.php http://site/login BF vulnerabilities I found in older versions of engine. In InstantCMS 1.10.1, according to changelog, BF holes were fixed by adding captcha. Checking at official web site didn't reveal any captcha, so this fix for both BF holes wasn't verified and the captcha wasn't tested (how much is it secure, as I showed in my Month of Bugs in Captchas in 2007, captchas can be very insecure). Plus a lot of sites use older versions of InstantCMS and with all mentioned Login Enumeration vulnerabilities in InstantCMS, these BF holes are very actual. Login Enumeration (WASC-42): In registration form (http://site/registration) logins are enumerating via ajax-requests. Insufficient Anti-automation (WASC-21): Presence of the captcha in registration form (for protecting against automated registration) doesn't protect from automated login enumeration. The requests are sending to the script http://site/core/ajax/registration.php. ------------ Timeline: ------------ 2013.07.14 - found multiple vulnerabilities in InstantCMS 1.10.1. 2013.07.19 - informed developers about first part of the vulnerabilities. Ignored. 2013.07.31 - informed developers about another part of the vulnerabilities. Answered, but refused to fix. 2013.08.02 - reminded developers about first letter with holes and explained why to fix them. 2013.08.02 - developers released InstantCMS 1.10.2 without fixing any informed vulnerabilities. 2013.09.24 - announced at my site. 2013.10.15 - developers released InstantCMS 1.10.3 without fixing any informed vulnerabilities. 2013.11.15 - disclosed at my site (http://websecurity.com.ua/6785/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists