lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <008e01cee3df$5fb80270$9b7a6fd5@pc>
Date: Sun, 17 Nov 2013 23:51:58 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: BF, LE and IAA vulnerabilities in InstantCMS

Hello list!

In addition to multiple vulnerabilities in InstantCMS, which I've disclosed 
earlier, here are new ones.

These are Brute Force, Login Enumeration and Insufficient Anti-automation 
vulnerabilities in InstantCMS.

-------------------------
Affected products:
-------------------------

Vulnerable are InstantCMS 1.10.3 and previous versions.

-------------------------
Affected vendors:
-------------------------

InstantSoft
http://www.instantcms.ru

----------
Details:
----------

Brute Force (WASC-11):

In login form there is no protection from Brute Force attacks.

http://site/admin/login.php
http://site/login

BF vulnerabilities I found in older versions of engine. In InstantCMS 
1.10.1, according to changelog, BF holes were fixed by adding captcha. 
Checking at official web site didn't reveal any captcha, so this fix for 
both BF holes wasn't verified and the captcha wasn't tested (how much is it 
secure, as I showed in my Month of Bugs in Captchas in 2007, captchas can be 
very insecure). Plus a lot of sites use older versions of InstantCMS and 
with all mentioned Login Enumeration vulnerabilities in InstantCMS, these BF 
holes are very actual.

Login Enumeration (WASC-42):

In registration form (http://site/registration) logins are enumerating via 
ajax-requests.

Insufficient Anti-automation (WASC-21):

Presence of the captcha in registration form (for protecting against 
automated registration) doesn't protect from automated login enumeration. 
The requests are sending to the script 
http://site/core/ajax/registration.php.

------------
Timeline:
------------ 

2013.07.14 - found multiple vulnerabilities in InstantCMS 1.10.1.
2013.07.19 - informed developers about first part of the vulnerabilities. 
Ignored.
2013.07.31 - informed developers about another part of the vulnerabilities. 
Answered, but refused to fix.
2013.08.02 - reminded developers about first letter with holes and explained 
why to fix them.
2013.08.02 - developers released InstantCMS 1.10.2 without fixing any 
informed vulnerabilities.
2013.09.24 - announced at my site.
2013.10.15 - developers released InstantCMS 1.10.3 without fixing any 
informed vulnerabilities.
2013.11.15 - disclosed at my site (http://websecurity.com.ua/6785/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ