Full Disclosure mailing list archives

Brute Force and Abuse of Functionality vulnerabilities in Drupal

From: "MustLive" <mustlive () websecurity com ua>
Date: Fri, 18 Feb 2011 21:30:37 +0200

Hello list!

I want to warn you about Brute Force and Abuse of Functionality
vulnerabilities in Drupal.

-------------------------
Affected products:
-------------------------

Vulnerable are Drupal 6.20 and previous versions.

----------
Details:
----------

Brute Force (WASC-11):

In login form (http://site/user/) there is no reliable protection against
brute force attacks. There is no captcha in Drupal itself, and existent
Captcha module (http://websecurity.com.ua/4749/) is vulnerable (and also all
plugins to it, such as reCAPTCHA (http://websecurity.com.ua/4752/).

Abuse of Functionality (WASC-42):

At contact page (http://site/contact) and at page for contact with user
(http://site/user/1/contact) there is a possibility to send spam from the
site to arbitrary e-mails via function "Send yourself a copy". And with
using of Insufficient Anti-automation vulnerability it's possible to send
spam from the site in automated manner on a large scale. The attack with
using of this function is possible only for logged in users.

For automated sending of spam it's needed to use before-mentioned
Insufficient Anti-automation vulnerabilities - there is no captcha in Drupal
itself, and existent captcha-module is vulnerable (and also all plugins to
it, such as reCAPTCHA).

About such Abuse of Functionality vulnerabilities I wrote in article Sending
spam via sites and creating spam-botnets
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html).

Abuse of Functionality (WASC-42):

At request to specific pages of the site with setting login
(http://site/users/user) it's possible to find existent logins of the users
at site (i.e. to enumerate logins). If shows "Access denied" - then such
login exists, and if "Page not found" - then no.

At request to pages for contact with users (http://site/user/1/contact)
login of the user shows (i.e. it's possible to enumerate logins). The attack
is possible to conduct only for logged in users and it'll work only if
attacked user turned on the option "Personal contact form" in his profile.

------------
Timeline:
------------

2010.12.15 - announced at my site.
2010.12.16 - informed developers.
2011.02.17 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4763/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Brute Force and Abuse of Functionality vulnerabilities in Drupal MustLive (Feb 18)
- Re: Brute Force and Abuse of Functionality vulnerabilities in Drupal Justin Klein Keane (Feb 18)