[<prev] [next>] [day] [month] [year] [list]
Message-ID: <008e01cee3df$5fb80270$9b7a6fd5@pc>
Date: Sun, 17 Nov 2013 23:51:58 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: BF, LE and IAA vulnerabilities in InstantCMS
Hello list!
In addition to multiple vulnerabilities in InstantCMS, which I've disclosed
earlier, here are new ones.
These are Brute Force, Login Enumeration and Insufficient Anti-automation
vulnerabilities in InstantCMS.
-------------------------
Affected products:
-------------------------
Vulnerable are InstantCMS 1.10.3 and previous versions.
-------------------------
Affected vendors:
-------------------------
InstantSoft
http://www.instantcms.ru
----------
Details:
----------
Brute Force (WASC-11):
In login form there is no protection from Brute Force attacks.
http://site/admin/login.php
http://site/login
BF vulnerabilities I found in older versions of engine. In InstantCMS
1.10.1, according to changelog, BF holes were fixed by adding captcha.
Checking at official web site didn't reveal any captcha, so this fix for
both BF holes wasn't verified and the captcha wasn't tested (how much is it
secure, as I showed in my Month of Bugs in Captchas in 2007, captchas can be
very insecure). Plus a lot of sites use older versions of InstantCMS and
with all mentioned Login Enumeration vulnerabilities in InstantCMS, these BF
holes are very actual.
Login Enumeration (WASC-42):
In registration form (http://site/registration) logins are enumerating via
ajax-requests.
Insufficient Anti-automation (WASC-21):
Presence of the captcha in registration form (for protecting against
automated registration) doesn't protect from automated login enumeration.
The requests are sending to the script
http://site/core/ajax/registration.php.
------------
Timeline:
------------
2013.07.14 - found multiple vulnerabilities in InstantCMS 1.10.1.
2013.07.19 - informed developers about first part of the vulnerabilities.
Ignored.
2013.07.31 - informed developers about another part of the vulnerabilities.
Answered, but refused to fix.
2013.08.02 - reminded developers about first letter with holes and explained
why to fix them.
2013.08.02 - developers released InstantCMS 1.10.2 without fixing any
informed vulnerabilities.
2013.09.24 - announced at my site.
2013.10.15 - developers released InstantCMS 1.10.3 without fixing any
informed vulnerabilities.
2013.11.15 - disclosed at my site (http://websecurity.com.ua/6785/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists