Full Disclosure mailing list archives
Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC
From: Jacqui Caren-home <jacqui.caren () ntlworld com>
Date: Fri, 18 Feb 2011 14:16:01 +0000
On 15/02/2011 16:55, Michele Orru wrote:
2011/2/14 MustLive<mustlive () websecurity com ua>:Hello Michele! Few days ago I saw your advisory about Drupal's captcha. It's interesting advisory, but I have one note concerning it - your research is very close to mine ;-) (it concerns similar holes which I found before you).I didn't found anything in FD or other public lists mentioning this issue before, so.... :)
Its not just Drupal - a number of captcha systems are open to attacks of this form. For instance hotfile.com is randomly open, allowing downloads of multiple files because of capcha "cookie replay". I have seen this - by accident I should point out - on a number of (commercial) sites where captcha is employed for login or download sanity checks. The most recent system to be borked during upgrade was http://www.nextgenserver.com/calculator/ Jacqui _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC MustLive (Feb 14)
- Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC Eyeballing Weev (Feb 14)
- Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC Michele Orru (Feb 15)
- Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC Eyeballing Weev (Feb 15)
- Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC Michele Orru (Feb 15)
- Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC Michele Orru (Feb 15)
- Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC Jacqui Caren-home (Feb 18)
- Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC Eyeballing Weev (Feb 14)