Bugtraq mailing list archives
Re: Vulnerabilities in Dunia Soccer
From: "MustLive" <mustlive () websecurity com ua>
Date: Fri, 9 Apr 2010 20:30:02 +0300
Hello Susan!
Pardon me, but you disclosed it at your site before you informed the developers?
Yes, and there is a reason for it. In 99% I use advanced responsible disclosure approach for informing admins and web developers about vulnerabilities. But in this time I used responsible full disclosure. I wrote in details about all disclosure policies (including these ones) in my article "Hacking of web sites, security researches, disclosure and legislation" in part 4 "Vulnerability disclosure" (http://websecurity.com.ua/articles/security_researches_and_legislation/eng/). It's because earlier I already disclosed details (at my site and to security lists) of vulnerabilities in CaptchaSecurityImages (a captcha script which is used in this CMS, as in many other CMS and web applications). So there were no reasons to not write details about these holes in advisory at my site, because all information is already public. So for all of these vulnerable webapps I used responsible full disclosure approach.
I don't even know what Dunia soccer is but how about you give vendors a chance to make good?
By informing developers of CaptchaSecurityImages.php, and additionally every developer of every web app (which I found) which is using it (like Dunia soccer), I'm giving them chance to make it good. Because developers of CaptchaSecurityImages already fixed most of the holes in their script in 2007 and still many developers around the world are using vulnerable version of the script or "develop" holes (by ignoring developer's recommendations), I decided to inform those web developers also and to write additional advisories. Not inform every site owner with this CaptchaSecurityImages.php (there are too many of them), but inform all web developers who use this script. It's only way to draw their attention to these issues. If you'll look at my advisory about vulnerabilities in CaptchaSecurityImages (http://www.securityfocus.com/archive/1/510276/30/30/threaded), you see that I found these holes long time ago. I found them at one site and thought that it's single site issue in custom made captcha. And I gave enough time to admin of that site to fix those holes (but he ignored my warnings about the holes). And only at 17.09.2009 when I found the same captcha script at another site, I understood that it's popular captcha script and so these holes are widespread. And after 16.03.2010 when I disclosed new hole at that site, than on the next day I disclosed hole in CaptchaSecurityImages itself and begun separately disclosing holes in different webapps which use it.
Is it a vendor site that has information or is this a informational forum/sale of soccer stuff site that has a buggy captcha
I found this captcha at some sites before I understood that this is popular and widespread captcha script. But then I'm only researching holes in webapps - via google dork which reveals me a lot of SVNs with this vulnerable captcha script (and so I found a lot of different webapps with it). I don't know nothing about Dunia soccer and other systems, such as WeBAM, TooFAST, ArcManager, MiniManager for Project MANGOS, NoCMS, HoloCMS, GunCMS, PhoenixCMS PHP Edition and phpCOIN (which I wrote to Bugtraq and I'd write about others). I just found these holes (concerned with CaptchaSecurityImages) in their source codes in online SVNs.
The vulnerability ...or rather the bug is in the captcha code, this is just a site using it, right?
I'm not writing about bugs, only about vulnerabilities :-). And I regularly found holes at single sites (which often uses some engines). But in my advisories I'm talking only about webapps. As I said above, there are many web applications which are using this captcha, and I wrote to security mailing lists about some of them and I'd write about others soon.
But really, for this type of bug do you really need to be trying to "shame" someone into fixing it or just informing the site that there's a page that is sucking CPU cycles and able to bypass the captcha to post spam?
When I found the holes at the site, I'm informing admin of the site (and for more than five year I informed a lot of admins of the sites about a lot of holes). I don't write (in most cases) to mailing lists about holes in single site, only in webapps.
Why not give the admin of the site a chance?
For more than five year that I'm working in webappsec, I'm always giving every admin and web developer a chance to fix (I use advanced responsible disclosure in 99%). And in most cases they just do lame things, like ignoring and not fixing, or badly fixing, or hiddenly fixing without thanking me, like it was with securityfocus.com in 2006 and many others. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua----- Original Message ----- From: "Susan Bradley" <sbradcpa () pacbell net>
To: "MustLive" <mustlive () websecurity com ua> Cc: <bugtraq () securityfocus com> Sent: Thursday, April 08, 2010 10:05 PM Subject: Re: Vulnerabilities in Dunia Soccer
Timeline: 17.03.2010 - found vulnerabilities. 30.03.2010 - disclosed at my site. 31.03.2010 - informed developers. ----------------------------- Pardon me, but you disclosed it at your site before you informed the developers? I don't even know what Dunia soccer is but how about you give vendors a chance to make good? Is it a vendor site that has information or is this a informational forum/sale of soccer stuff site that has a buggy captcha that makes the server admin wonder what is chewing up the CPU and why spam is still making it to the site? The vulnerability ...or rather the bug is in the captcha code, this is just a site using it, right? But really, for this type of bug do you really need to be trying to "shame" someone into fixing it or just informing the site that there's a page that is sucking CPU cycles and able to bypass the captcha to post spam? Why not give the admin of the site a chance? MustLive wrote:Hello Bugtraq! I want to warn you about security vulnerabilities in system Dunia Soccer. ----------------------------- Advisory: Vulnerabilities in Dunia Soccer ----------------------------- URL: http://websecurity.com.ua/4083/ ----------------------------- Affected products: all versions of Dunia Soccer. ----------------------------- Timeline: 17.03.2010 - found vulnerabilities. 30.03.2010 - disclosed at my site. 31.03.2010 - informed developers. ----------------------------- Details: These are Insufficient Anti-automation and Denial of Service vulnerabilities. The vulnerabilities exist in captcha script CaptchaSecurityImages.php, which is using in this system. I already reported about vulnerabilities in CaptchaSecurityImages (http://websecurity.com.ua/4043/). Insufficient Anti-automation: http://site/class/captcha/CaptchaSecurityImages.php?width=150&height=100&characters=2 Captcha bypass is possible as via half-automated or automated (with using of OCR) methods, which were mentioned before (http://websecurity.com.ua/4043/), as with using of session reusing with constant captcha bypass method (http://websecurity.com.ua/1551/), which was described in project Month of Bugs in Captchas. DoS: http://site/class/captcha/CaptchaSecurityImages.php?width=1000&height=9000 With setting of large values of width and height it's possible to create large load at the server. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
Current thread:
- Vulnerabilities in Dunia Soccer MustLive (Apr 08)
- Re: Vulnerabilities in Dunia Soccer Susan Bradley (Apr 09)
- Re: Vulnerabilities in Dunia Soccer MustLive (Apr 09)
- Re: Vulnerabilities in Dunia Soccer Susan Bradley (Apr 09)
- Re: Vulnerabilities in Dunia Soccer MustLive (Apr 09)
- Re: Vulnerabilities in Dunia Soccer Susan Bradley (Apr 09)