Re: Vulnerabilities in phpCOIN

["MustLive" <mustlive () websecurity com ua>]

Hello Jan, Valdis, Christian and Jeff!

I'll answer at all your letters in one message. Even if I already banned Jan
and he put my email to his blacklist, it's possible that he will read it in
the list.

First, it's good that my advisory about vulnerabilities in phpCOIN (and also
many previous advisories concerning with CaptchaSecurityImages.php) gave you
occasion for the discussion. But for me it's strange, because my message to
the list was designed only for informing purposes.

Second, last week I answered at one letter with questions concerning these
vulnerabilities in CaptchaSecurityImages.php and webapps with it
(http://www.securityfocus.com/archive/1/510625/30/0/threaded). And I
recommend to look at it for everyone who decided to ask me any question on
this subject (because in that letter I have answered at many questions).

> Quoting the list charter: "Gratuitous advertisement, product
> placement, or self-promotion is forbidden."

And from what do you see, that I'm doing any advertising, product placement
or promoting? Jan, if you do such things, than don't need to think, that
other people do them. If you are mercantile human, than don't need to think
that other are the same. Never judge about other people by yourself.

For more than five years, when I'm working in webappsec and informing admins
of web sites and web developers all over the world about holes at theirs
site (web apps), I only spending my own time to help people (mostly in other
fields I do the same). And 99% of my work in webappsec field for this time
was free and gratuitous. So any lame statements concerning mercantilism into
my address is not serious.

And also tell me, please, do you moderator of the list? You don't, so why
you're blaming me for breaking list charter? There is a moderator, so he
must do it (and let him to do his work). All my letters to the list is first
approved by moderator (for all time while I posting to the list from
September 2009) - so if he finds my messages appropriate, then there must be
no questions (especially lame ones).

Besides, for many years I saw many times a direct advertising in security
advisories (of different security software, services and companies). And
this advert can't influence on me, because I can distinguish advert from
other text in advisories. And I have never seen any Jan's blaming about many
of such cases of advertising in security lists. So it's already double
standards (which is not good).

> And where's the point in reporting several projects that use a -say-
> library which has a reported problem?

I have already answered at this question into Bugtraq (see above-mentioned
link). Here is a quote:

Because developers of CaptchaSecurityImages already fixed most of the holes
in their script in 2007 and still many developers around the world are using
vulnerable version of the script or "develop" holes (by ignoring developer's
recommendations), I decided to inform those web developers also and to write
additional advisories. Not inform every site owner with this
CaptchaSecurityImages.php (there are too many of them), but inform all web
developers who use this script. It's only way to draw their attention to
these issues.

Your non-acceptance of advisories about different applications with holes in
the same script (library) is incorrect and there is also double standards.
And latter in this letter I'll write additionally about this.

> (I mean, you've send quite the same mail with a different software to
> bugtraq, today.)

Man, I post the same message at the same time to Bugtraq and to
Full-Disclosure (and those who decided to publish it, it'll do it). I
decided to post to both lists, because in 2009 I found few times some not
serious behavior of Bugtraq's moderator (and then in September 2009 I
started posting to this list). If you found other software with holes in
CaptchaSecurityImages.php in Bugtraq in that day, it's just because
Bugtraq's moderator only that day approved my letter.

> The whole point of your "advisories" is self promotion and promotion
> of your website.

I already answered above on your not serious blaming. If you look at any
link and see promotion in it, then it's your problem. And because you have
never blame other advisories "for links" (especially advertising links,
which I mentioned above), only wrote about my advisories, then it's double
standards.

> A few years ago, a rather nasty vulnerability was found in the zlib
> compression library.

Thanks, Valdis, for your example.

For many years I saw a lot of such cases in security mailing lists, where
there were a lot of different advisories about the same holes in different
applications.

Among an examples of such vulnerabilities in different applications (web and
desktop) I'll give the next: different developers of Linux distributives,
which all the time release separate advisories about holes in all
applications (made by different developers) which they include in bundle,
last case with Flash 6 in Windows XP, different open source projects, e.g.
PHP (which used external libraries), and also projects which use PCRE, curl
and other popular libraries, and web apps which includes other web apps (and
libraries), similarly to case with CaptchaSecurityImages.php. I see such
cases all the time in mailing lists and I have never seen not Jan's, nor any
other's blaming on such advisories.

So what's Jan's problem (and all others who moaning about these
CaptchaSecurityImages.php related issues)? The problem concerning
advisories about similar issues in different software is the same as
mentioned above - it's double standards (which is not good).

> It isn't *just* Apple, it's Linux, Microsoft and just about any other
> company.

Christian, you are right. A lot of software, both open source and closed
source, consist from a lot of additional programs (or libraries) and it's
very widespread that software put a lot of others apps in a bundle.
Sometimes even doing it hiddenly, and it's not about adware and other
spyware, but about legal applications.

And my last researches, such as about XSS vulnerabilities in 34 millions
flash files (in one single swf-file which is widespread all over the Web)
and about CaptchaSecurityImages.php and webapps which are using it, show
that particularly in open source vulnerable (web) applications can
widespread very much.

> various "hitch hiker" applications... toolbars, trial software, etc.

Jeff, I'm agree with you. With every year the amount of "bundled" software
(which come with other application) is growing. And all of these apps, both
"main" and "bundled" ones, can have their own holes (so with every
additional "bonus" program the overall security of the system is
decreasing). So everyone must take care of "additional apps", both web and
desktop (such as toolbars), and install only what they really want.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Jan G.B." <ro0ot.w00t () googlemail com>
To: "MustLive" <mustlive () websecurity com ua>
Cc: <full-disclosure () lists grok org uk>
Sent: Friday, April 09, 2010 4:49 PM
Subject: Re: [Full-disclosure] Vulnerabilities in phpCOIN


> 2010/4/9 MustLive <mustlive () websecurity com ua>:
> > Hello Full-Disclosure!
>
> Quoting the list charter: "Gratuitous advertisement, product
> placement, or self-promotion is forbidden."
>
> And where's the point in reporting several projects that use a -say-
> library which has a reported problem? (I mean, you've send quite the
> same mail with a different software to bugtraq, today.)
>
> The whole point of your "advisories" is self promotion and promotion
> of your website.
>
>
>
>
>
> > I want to warn you about security vulnerabilities in system phpCOIN.
> >
> > -----------------------------
> > Advisory: Vulnerabilities in phpCOIN
> > -----------------------------
> > URL: http://websecurity.com.ua/4090/
> > -----------------------------
> > Affected products: phpCOIN 1.6.5 and previous versions.
> > -----------------------------
> > Timeline:
> > 17.03.2010 - found vulnerabilities.
> > 01.04.2010 - disclosed at my site.
> > 02.04.2010 - informed developers.
> > -----------------------------
> > Details:
> >
> > These are Insufficient Anti-automation and Denial of Service
> > vulnerabilities.
> >
> > The vulnerabilities exist in captcha script CaptchaSecurityImages.php,
> > which
> > is using in this system. I already reported about vulnerabilities in
> > CaptchaSecurityImages (http://websecurity.com.ua/4043/).
> >
> > Insufficient Anti-automation:
> >
> > http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=150&height=100&characters=2
> >
> > Captcha bypass is possible via half-automated or automated (with using of
> > OCR) methods, which were mentioned before
> > (http://websecurity.com.ua/4043/).
> >
> > DoS:
> >
> > http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=1000&height=9000
> >
> > With setting of large values of width and height it's possible to create
> > large load at the server.
> >
> > Best wishes & regards,
> > MustLive
> > Administrator of Websecurity web site
> > http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/