Full Disclosure mailing list archives
Re: Vulnerabilities in TAK cms
From: Benji <me () b3nji com>
Date: Thu, 8 Apr 2010 21:30:10 +0100
nah, he'd be telling us how that was an easy way to find valid accounts. -Benji On Thu, Apr 8, 2010 at 6:30 PM, T Biehn <tbiehn () gmail com> wrote:
If there were an account lockout after 5 tries would you be telling us about how there was a DOS vector on the same software? -Travis On Mon, Apr 5, 2010 at 4:35 PM, MustLive <mustlive () websecurity com ua> wrote:Hello Full-Disclosure! I want to warn you about security vulnerabilities in TAK cms. It'sUkrainiancommercial CMS. ----------------------------- Advisory: Vulnerabilities in TAK cms ----------------------------- URL: http://websecurity.com.ua/4050/ ----------------------------- Timeline: 04.02.2009 - found vulnerabilities. 30.09.2009 - informed owners of web sites where I found these vulnerabilities. Taking into account, that I didn't find any contact dataofdeveloper of TAK cms, then I hope, that owners of that site informed him about these vulnerabilities. This is one of those cases with commercialCMS,where developers didn't leave any contact data and there is noinformationabout them in Internet. 19.03.2010 - disclosed at my site. ----------------------------- Details: These are Insufficient Anti-automation and Brute Force vulnerabilities. Insufficient Anti-automation: http://site/about/contacts/ http://site/register/getpassword/ At these pages there is not protection from automated requests (captcha). Brute Force: http://site/auth/ http://site/admin/ In login forms there is no protection from Brute Force attacks. Vulnerable are all versions of TAK cms. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on http://pastebin.com/f6fd606da _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerabilities in TAK cms MustLive (Apr 06)
- Re: Vulnerabilities in TAK cms T Biehn (Apr 08)
- Re: Vulnerabilities in TAK cms Benji (Apr 08)
- Re: Vulnerabilities in TAK cms T Biehn (Apr 09)
- Re: Vulnerabilities in TAK cms Benji (Apr 08)
- Re: Vulnerabilities in TAK cms T Biehn (Apr 08)