lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 31 May 2014 23:56:28 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <fulldisclosure@...lists.org> Subject: [FD] LE, BF and IAA vulnerabilities in Catapulta I.W. Edition Hello list! These are Login Enumeration, Brute Force and Insufficient Anti-automation vulnerabilities in Catapulta I.W. Edition. This is commercial CMS. It's used at web site of one presidential contender in Ukraine (the elections were last Sunday), where I found these vulnerabilities at 28.01.2014. This politic never cared about security of his web site and his site was hacked in 2009, so no surprise he used vulnerable CMS this year too and still haven't fixed holes - as these ones, as many others. There are many interesting Information Leakage vulnerabilities at that web site, but as I found they are related to site configuration or non-default CMS configuration and are not present at other sites on Catapulta. ------------------------- Affected products: ------------------------- Vulnerable are all versions of Catapulta I.W. Edition. ------------------------- Affected vendors: ------------------------- Pula Design - developer of Catapulta. http://pula.com.ua ---------- Details: ---------- Login Enumeration (WASC-42): http://site/admin/login.php Different answers allow to enumerate logins in the system. Brute Force (WASC-11): http://site/admin/login.php There is no protection from Brute Force attacks. Insufficient Anti-automation (WASC-21): In contact form (http://site/messageadmin.html) there is no protection against automated attacks. ------------ Timeline: ------------ 2014.02.28 - announced at my site. 2014.03.07 - informed developers. Ignored. 2014.05.30 - disclosed at my site (http://websecurity.com.ua/7033/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists