[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAKzwKJ_EyfAnkiYGrHDxDXAKCvbQSPVG9cdhPjbCTaOSyWdAQA@mail.gmail.com>
Date: Wed, 19 Oct 2016 20:06:49 +0300
From: Elar Lang <elarlang@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2016-8600 dotCMS - CAPTCHA bypass by reusing valid code
Title: CVE-2016-8600 dotCMS - CAPTCHA bypass by reusing valid code
Credit: Elar Lang / https://security.elarlang.eu
Vulnerability: CAPTCHA bypass by re-using last loaded valid CAPTCHA code
Vulnerable version: before 3.6.0
CVE: CVE-2016-8600
Vendor/Product: dotCMS (http://dotcms.com/)
# Background and description
It's possible to re-use valid CAPTCHA code in dotCMS framework.
Last loaded CAPTCHA code is stored in session and CAPTCHA code is
renewed only when you reload image /Captcha.jpg from server. But if
you don't reload it, you can use previous valid CAPTCHA code till your
session is alive.
Problem was first announced with CRLF/Email Header Injection:
* link1: https://security.elarlang.eu/cve-2016-8600-dotcms-captcha-bypass-by-reusing-valid-code.html
* link2: http://seclists.org/fulldisclosure/2016/May/69
# Preconditions
Attacker must first fill manually valid CAPTCHA code.
No other pre-conditions - no authentication or authorization needed.
# Proof-of-Concept
You need to detect from a dotCMS server:
* valid CAPTCHA by loading /Captcha.jpg
* your session id (JSESSIONID) value
If some form asks CAPTCHA, you can use those 2 values for sending valid data.
Proof-of-Concept with a detailed description is available at:
https://security.elarlang.eu/cve-2016-8600-dotcms-captcha-bypass-by-reusing-valid-code.html
# Vulnerability Disclosure Timeline
First I mentioned CAPTCHA reuse possibility in other reports
2015-12-07 | me > dotCMS | CAPTCHA reuse possibility is mentioned in
Email Header Injection description
2015-12-14 | me > dotCMS | asked feedback in other set of reported
vulnerabilities
As reported Email Header Injection and different SQL injections were
fixed and CAPTCHA reuse wasn't fixed, I Reported separately
2016-05-27 | me > dotCMS | description of CAPTCHA reuse process
2016-06-29 | me > dotCMS | any comments or feedback?
2016-07-06 | dotCMS > me | confirmed bug and opened issue
2016-07-06 | dotCMS | opened issue in GitHub | "Captcha can be
programmatically reused by passing session id #9330"
2016-07-07 | me > mitre.org | CVE requested .. no response
2016-09-02 | dotCMS | dotCMS version 3.6.0 release
2016-10-10 | me > mitre.org | CVE requested via web form
2016-10-11 | mitre.org > me | CVE-2016-8600 assigned
2016-10-17 | me | Full Disclosure on security.elarlang.eu
# Fixes
Update dotCMS at least to version 3.6.0
Issue description and timeline: https://github.com/dotCMS/core/issues/9330
--
Elar Lang
Blog @ https://security.elarlang.eu
Pentester, lecturer @ http://www.clarifiedsecurity.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists