Bugtraq mailing list archives
Re: Vulnerability in CB Captcha for Joomla and Mambo
From: "MustLive" <mustlive () websecurity com ua>
Date: Fri, 16 Apr 2010 23:33:04 +0300
Hello Matteo Valenza!
how can i solve this issue quickly ?
There are the next solutions for you: 1. Wait until developers of CB Captcha released new fixed version of the plugin. They are examining this vulnerability for some time already (at least Beat, developer of CB Captcha 2.x, because from two authors only he answered me). But Beat told me, that they will be releasing the new fixed version not very quickly (due to their standardized bugfixing process), so users of CB Captcha will need to wait for new release. 2. Contact Beat and ask him when developers will be releasing new version of plugin and to hurry them. 3. Fix the hole manually. It's the most quickest solution and it's possible that you was asking exactly about it. To fix this vulnerability in CB Captcha you need to do, what I recommend to developers of the plugin - to use standard algorithm of fixing such captcha bypass method, which I called session reusing with constant captcha bypass method and described in details in my MoBiC project in 2007. And it concerns all captcha-programs which are using sessions. The algorithm of fixing this issue in CaptchaSecurityImages.php (and it's concerns to CB Captcha and to all those webapps with this captcha in my last advisories, where I mentioned that) was described by developers of CaptchaSecurityImages.php already at 27.03.2007 at their site (http://www.white-hat-web-design.co.uk/articles/php-captcha.php). For that you need to clear session variable "security_code" (or other name which is used in the code of specific webapp). Use unset($_SESSION['security_code']); in the code when you are processing the form. This solution can be used for all affected web applications mentioned by me in last advisories (that have this hole). But concerning CB Captcha if it works in Joomla 1.0 and Mambo, it doesn't work in Joomla 1.5, because it uses another method to work with sessions and for it another code must be used (for clearing of session). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua----- Original Message ----- From: "Matteo Valenza" <ilmetu () gmail com>
To: "Susan Bradley" <sbradcpa () pacbell net> Cc: "MustLive" <mustlive () websecurity com ua>; <bugtraq () securityfocus com> Sent: Friday, April 16, 2010 8:08 PM Subject: Re: Vulnerability in CB Captcha for Joomla and Mambo how can i solve this issue quickly ? Thanks. Il giorno 15/apr/2010, alle ore 21.11, Susan Bradley ha scritto:
Dear Bugtraq. I am an admin of a site that has Captcha that spam gets through and the CPU sucks. Honest question -- are you going to post about every site that has lousy captcha? Would it be faster if us admins that have lousy captcha just outted ourselves first? MustLive wrote:Hello Bugtraq! I want to warn you about security vulnerability in plugin CB Captcha (plug_cbcaptcha) for component Community Builder (com_comprofiler) for Joomla and Mambo. The posting of this advisory to mailing lists was delayed, because I found that there are two different vulnerable versions of plugin developed by different authors, so I needed to inform all authors. ----------------------------- Advisory: Vulnerability in CB Captcha for Joomla and Mambo ----------------------------- URL: http://websecurity.com.ua/4087/ ----------------------------- Affected products: CB Captcha 1.0.2 and previous versions (developed by Kotofeich), CB Captcha 2.2 and previous versions (developed by Beat). ----------------------------- Timeline: 17.03.2010 - found vulnerability. 31.03.2010 - disclosed at my site. 01.04.2010 - informed developer of CB Captcha 1.x. And because I found other version of the plugin by another author, and after checking it later I informed author of CB Captcha 2.x. 13.04.2010 - additionally informed developers of Community Builder (both joomlapolis.com and communitybuilder.ru). ----------------------------- Details: This is Insufficient Anti-automation vulnerability. This plugin is based on captcha script CaptchaSecurityImages.php and I already reported about vulnerabilities in CaptchaSecurityImages (http://websecurity.com.ua/4043/). And in plugin plug_cbcaptcha were fixed all Insufficient Anti-automation and Denial of Service vulnerabilities from original script, except one. Insufficient Anti-automation: In the plugin it's possible to bypass captcha with using of session reusing with constant captcha bypass method (http://websecurity.com.ua/1551/), which was described in project Month of Bugs in Captchas. With using of this method it's possible to bypass protection by sending the same code of captcha. It can be done at all pages where this plugin is used. In CB Captcha 1.x it's using at registration page, lost password form and lost email form. In CB Captcha 2.x, in addition to before-mentioned forms, it's using at contact form (in the presence of component CB Contact 1.1) and login form (in the presence of login module of CB 1.2). PoC: The PoC for this Insufficient Anti-automation vulnerability was provided to developers. Everyone who want can create such PoC from exploit provided in above-mentioned article from MoBiC project. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
Current thread:
- Vulnerability in CB Captcha for Joomla and Mambo MustLive (Apr 15)
- Re: Vulnerability in CB Captcha for Joomla and Mambo Susan Bradley (Apr 16)
- Re: Vulnerability in CB Captcha for Joomla and Mambo James Martin (Apr 19)
- Re: Vulnerability in CB Captcha for Joomla and Mambo Susan Bradley (Apr 19)
- Re: Vulnerability in CB Captcha for Joomla and Mambo Matteo Valenza (Apr 19)
- Re: Vulnerability in CB Captcha for Joomla and Mambo MustLive (Apr 19)
- Re: Vulnerability in CB Captcha for Joomla and Mambo James Martin (Apr 19)
- <Possible follow-ups>
- Re: Vulnerability in CB Captcha for Joomla and Mambo nant (Apr 16)
- Re: Vulnerability in CB Captcha for Joomla and Mambo nant (Apr 19)
- Re: Re: Vulnerability in CB Captcha for Joomla and Mambo none (Apr 20)
- Re: Vulnerability in CB Captcha for Joomla and Mambo MustLive (Apr 28)
- Re: Vulnerability in CB Captcha for Joomla and Mambo Susan Bradley (Apr 16)