Full Disclosure mailing list archives
Re: Vulnerabilities in phpCOIN
From: "MustLive" <mustlive () websecurity com ua>
Date: Thu, 15 Apr 2010 23:55:49 +0300
Hello Jan, Valdis, Christian and Jeff! I'll answer at all your letters in one message. Even if I already banned Jan and he put my email to his blacklist, it's possible that he will read it in the list. First, it's good that my advisory about vulnerabilities in phpCOIN (and also many previous advisories concerning with CaptchaSecurityImages.php) gave you occasion for the discussion. But for me it's strange, because my message to the list was designed only for informing purposes. Second, last week I answered at one letter with questions concerning these vulnerabilities in CaptchaSecurityImages.php and webapps with it (http://www.securityfocus.com/archive/1/510625/30/0/threaded). And I recommend to look at it for everyone who decided to ask me any question on this subject (because in that letter I have answered at many questions).
Quoting the list charter: "Gratuitous advertisement, product placement, or self-promotion is forbidden."
And from what do you see, that I'm doing any advertising, product placement or promoting? Jan, if you do such things, than don't need to think, that other people do them. If you are mercantile human, than don't need to think that other are the same. Never judge about other people by yourself. For more than five years, when I'm working in webappsec and informing admins of web sites and web developers all over the world about holes at theirs site (web apps), I only spending my own time to help people (mostly in other fields I do the same). And 99% of my work in webappsec field for this time was free and gratuitous. So any lame statements concerning mercantilism into my address is not serious. And also tell me, please, do you moderator of the list? You don't, so why you're blaming me for breaking list charter? There is a moderator, so he must do it (and let him to do his work). All my letters to the list is first approved by moderator (for all time while I posting to the list from September 2009) - so if he finds my messages appropriate, then there must be no questions (especially lame ones). Besides, for many years I saw many times a direct advertising in security advisories (of different security software, services and companies). And this advert can't influence on me, because I can distinguish advert from other text in advisories. And I have never seen any Jan's blaming about many of such cases of advertising in security lists. So it's already double standards (which is not good).
And where's the point in reporting several projects that use a -say- library which has a reported problem?
I have already answered at this question into Bugtraq (see above-mentioned link). Here is a quote: Because developers of CaptchaSecurityImages already fixed most of the holes in their script in 2007 and still many developers around the world are using vulnerable version of the script or "develop" holes (by ignoring developer's recommendations), I decided to inform those web developers also and to write additional advisories. Not inform every site owner with this CaptchaSecurityImages.php (there are too many of them), but inform all web developers who use this script. It's only way to draw their attention to these issues. Your non-acceptance of advisories about different applications with holes in the same script (library) is incorrect and there is also double standards. And latter in this letter I'll write additionally about this.
(I mean, you've send quite the same mail with a different software to bugtraq, today.)
Man, I post the same message at the same time to Bugtraq and to Full-Disclosure (and those who decided to publish it, it'll do it). I decided to post to both lists, because in 2009 I found few times some not serious behavior of Bugtraq's moderator (and then in September 2009 I started posting to this list). If you found other software with holes in CaptchaSecurityImages.php in Bugtraq in that day, it's just because Bugtraq's moderator only that day approved my letter.
The whole point of your "advisories" is self promotion and promotion of your website.
I already answered above on your not serious blaming. If you look at any link and see promotion in it, then it's your problem. And because you have never blame other advisories "for links" (especially advertising links, which I mentioned above), only wrote about my advisories, then it's double standards.
A few years ago, a rather nasty vulnerability was found in the zlib compression library.
Thanks, Valdis, for your example. For many years I saw a lot of such cases in security mailing lists, where there were a lot of different advisories about the same holes in different applications. Among an examples of such vulnerabilities in different applications (web and desktop) I'll give the next: different developers of Linux distributives, which all the time release separate advisories about holes in all applications (made by different developers) which they include in bundle, last case with Flash 6 in Windows XP, different open source projects, e.g. PHP (which used external libraries), and also projects which use PCRE, curl and other popular libraries, and web apps which includes other web apps (and libraries), similarly to case with CaptchaSecurityImages.php. I see such cases all the time in mailing lists and I have never seen not Jan's, nor any other's blaming on such advisories. So what's Jan's problem (and all others who moaning about these CaptchaSecurityImages.php related issues)? The problem concerning advisories about similar issues in different software is the same as mentioned above - it's double standards (which is not good).
It isn't *just* Apple, it's Linux, Microsoft and just about any other company.
Christian, you are right. A lot of software, both open source and closed source, consist from a lot of additional programs (or libraries) and it's very widespread that software put a lot of others apps in a bundle. Sometimes even doing it hiddenly, and it's not about adware and other spyware, but about legal applications. And my last researches, such as about XSS vulnerabilities in 34 millions flash files (in one single swf-file which is widespread all over the Web) and about CaptchaSecurityImages.php and webapps which are using it, show that particularly in open source vulnerable (web) applications can widespread very much.
various "hitch hiker" applications... toolbars, trial software, etc.
Jeff, I'm agree with you. With every year the amount of "bundled" software (which come with other application) is growing. And all of these apps, both "main" and "bundled" ones, can have their own holes (so with every additional "bonus" program the overall security of the system is decreasing). So everyone must take care of "additional apps", both web and desktop (such as toolbars), and install only what they really want. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: "Jan G.B." <ro0ot.w00t () googlemail com> To: "MustLive" <mustlive () websecurity com ua> Cc: <full-disclosure () lists grok org uk> Sent: Friday, April 09, 2010 4:49 PM Subject: Re: [Full-disclosure] Vulnerabilities in phpCOIN
2010/4/9 MustLive <mustlive () websecurity com ua>:Hello Full-Disclosure!Quoting the list charter: "Gratuitous advertisement, product placement, or self-promotion is forbidden." And where's the point in reporting several projects that use a -say- library which has a reported problem? (I mean, you've send quite the same mail with a different software to bugtraq, today.) The whole point of your "advisories" is self promotion and promotion of your website.I want to warn you about security vulnerabilities in system phpCOIN. ----------------------------- Advisory: Vulnerabilities in phpCOIN ----------------------------- URL: http://websecurity.com.ua/4090/ ----------------------------- Affected products: phpCOIN 1.6.5 and previous versions. ----------------------------- Timeline: 17.03.2010 - found vulnerabilities. 01.04.2010 - disclosed at my site. 02.04.2010 - informed developers. ----------------------------- Details: These are Insufficient Anti-automation and Denial of Service vulnerabilities. The vulnerabilities exist in captcha script CaptchaSecurityImages.php, which is using in this system. I already reported about vulnerabilities in CaptchaSecurityImages (http://websecurity.com.ua/4043/). Insufficient Anti-automation: http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=150&height=100&characters=2 Captcha bypass is possible via half-automated or automated (with using of OCR) methods, which were mentioned before (http://websecurity.com.ua/4043/). DoS: http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=1000&height=9000 With setting of large values of width and height it's possible to create large load at the server. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerabilities in phpCOIN MustLive (Apr 09)
- Re: Vulnerabilities in phpCOIN Jan G.B. (Apr 09)
- Re: Vulnerabilities in phpCOIN Valdis . Kletnieks (Apr 09)
- Re: Vulnerabilities in phpCOIN Jan G.B. (Apr 09)
- Re: Vulnerabilities in phpCOIN Christian Sciberras (Apr 09)
- Re: Vulnerabilities in phpCOIN MustLive (Apr 15)
- Re: Vulnerabilities in phpCOIN Benji (Apr 15)
- Re: Vulnerabilities in phpCOIN Valdis . Kletnieks (Apr 09)
- <Possible follow-ups>
- Re: Vulnerabilities in phpCOIN Jeff Kell (Apr 09)
- Re: Vulnerabilities in phpCOIN Jan G.B. (Apr 09)