Re: Vulnerability in reCAPTCHA for Drupal

[Charles Morris <cmorris () cs odu edu>]

Michele,

Granted I don't know or really care about drupal, and I'm not just
trying to defend MustLive,
who just seems to be a guy trying to get ahead in the world, even if
he's a little misguided; but what really gets to me is when people
dismiss issues like that. Not to mention you are assuming that the
defaults are never changed.

full path disclosure IS an information disclosure, unless the code is
designed to disclose it's filesystem path. Any information gathered by
unorthodox methods from an application that wasn't designed to do so,
is an information disclosure.

Information disclosure IS a vulnerability.

Even if an attack vector isn't known, things like filesystem
knowledge, internal varialbe names, error messages, username => id
mapping, etc can still be used from a social engineering perspective.

It is my personal belief that all vulnerabilities should be patched
regardless of existence of a known attack vector or exploit.

If an application does not behave exactly as it's intended in all circumstances:
patch || gutmann()

And, to MustLive; I hope that debugging option or whatever is turned
on by default- otherwise the quoted issue is more of a
misconfiguration.... and yes two days is a completely irrational
acknowledgment duration cap ... :( ... I've had vendors take weeks to
acknowledge an issue.. we have to gently hold the hand of vendors and
teach them how computer work.. I personally suggest putting a proper
disclosure policy on your website and then stick to it.

On 2/17/11, Michele Orru <antisnatchor () gmail com> wrote:
> If you thing that some statements from MustLive like the following:
>
> "
>
> Full path disclosure (WASC-13):
>
> At POST request to the page with form with using of Cyrillic char in
> parameter op, the error message is showing, which consists the full path on
> the system.
>
> Vulnerabilities exist at pages:http://site/user/,http://site/user/1/edit,
> http://site/user/password,http://site/user/register,http://site/contact,
> http://site/user/1/contact. Other pages which have forms also can be
> vulnerable.
>
> Exploit:
>
> http://websecurity.com.ua/uploads/2011/Drupal%20Full%20path%20disclosure.html
>
> As noted Drupal developers, these vulnerabilities appear due to turned on
> debugging option in administrator panel. So for preventing of these and
> other FPD at the site it's needed to turn off this option.
>
> "
> are not hilarious, then you're a really noob.
> I mean, every Drupal user knows that the default path to register a new
> user is user/register,
> or that the default admin account is reachable at user/1, or that the
> contact form is at the contact URI.
>
> These are not vulnerabilities, and this is one of the many reasons why
> almost no-one in FD
> read his "advisories" and flag his address as spam :)
>
> antisnatchor
> > ------------------------------------------------------------------------
...
> >      MustLive <mailto:mustlive () websecurity com ua>
> > February 17, 2011 6:18 PM
> >
> >
> > Hello list!
> >
> > I want to warn you about Insufficient Anti-automation vulnerability in
> > reCAPTCHA for Drupal.
> >
> > In project MoBiC in 2007 I already wrote about bypassing of reCaptcha for
> > Drupal (http://websecurity.com.ua/1505/). This is new method of bypassing
> > reCaptcha for Drupal.
> >
> > -------------------------
> > Affected products:
> > -------------------------
> >
> > Vulnerable are all versions of reCAPTCHA plugin for Captcha module
> > versions
> > before 6.x-2.3 and 7.x-1.0.
> >
> > ----------
> > Details:
> > ----------
> >
> > Insufficient Anti-automation (WASC-21):
> >
> > In different forms in Drupal the vulnerable captcha-plugin reCAPTCHA is
> > using. Drupal's Captcha module is vulnerable itself, so besides reCAPTCHA
> > other captcha-plugins also can be vulnerable (at that this exploit is a
> > little different from exploit for default Captcha module for Drupal).
> >
> > For bypassing of captcha it's needed to use correct value of
> > captcha_sid, at
> > that it's possible to not answer at captcha (captcha_response) or set any
> > answer. This method of captcha bypass is described in my project Month of
> > Bugs in Captchas (http://websecurity.com.ua/1498/). Attack is possible
> > while
> > this captcha_sid value is active.
> >
> > Vulnerabilities exist on pages with forms: http://site/contact,
> > http://site/user/1/contact, http://site/user/password and
> > http://site/user/register. Other forms where reCAPTCHA is using also
> > will be
> > vulnerable.
> >
> > Exploit:
> >
> > http://websecurity.com.ua/uploads/2011/Drupal%20reCAPTCHA%20bypass.html
> >
> > ------------
> > Timeline:
> > ------------
> >
> > 2010.12.11 - announced at my site.
> > 2010.12.14 - informed reCAPTCHA developers.
> > 2010.12.14 - informed Google (reCAPTCHA owner).
> > 2011.02.16 - disclosed at my site.
> >
> > I mentioned about this vulnerability at my site
> > (http://websecurity.com.ua/4752/).
> >
> > Best wishes & regards,
> > MustLive
> > Administrator of Websecurity web site
> > http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/