Re: Brute Force and Abuse of Functionality vulnerabilities in Drupal

[Justin Klein Keane <justin () madirish net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MustLive:  you're a little late to this party, see
http://www.madirish.net/?article=443, published Dec 2009.  The other
issues you mention may already be disclosed.  The Drupal Login Security
module (http://drupal.org/project/login_security) is an effective
mitigation for some of these problems.  Do you do any research before
you publish these advisories?

Justin Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed using
the public key at http://www.madirish.net/gpgkey

On 02/18/2011 02:30 PM, MustLive wrote:
> Hello list!
>
> I want to warn you about Brute Force and Abuse of Functionality
> vulnerabilities in Drupal.
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are Drupal 6.20 and previous versions.
>
> ----------
> Details:
> ----------
>
> Brute Force (WASC-11):
>
> In login form (http://site/user/) there is no reliable protection against
> brute force attacks. There is no captcha in Drupal itself, and existent
> Captcha module (http://websecurity.com.ua/4749/) is vulnerable (and also all
> plugins to it, such as reCAPTCHA (http://websecurity.com.ua/4752/).
>
> Abuse of Functionality (WASC-42):
>
> At contact page (http://site/contact) and at page for contact with user
> (http://site/user/1/contact) there is a possibility to send spam from the
> site to arbitrary e-mails via function "Send yourself a copy". And with
> using of Insufficient Anti-automation vulnerability it's possible to send
> spam from the site in automated manner on a large scale. The attack with
> using of this function is possible only for logged in users.
>
> For automated sending of spam it's needed to use before-mentioned
> Insufficient Anti-automation vulnerabilities - there is no captcha in Drupal
> itself, and existent captcha-module is vulnerable (and also all plugins to
> it, such as reCAPTCHA).
>
> About such Abuse of Functionality vulnerabilities I wrote in article Sending
> spam via sites and creating spam-botnets
> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html).
>
> Abuse of Functionality (WASC-42):
>
> At request to specific pages of the site with setting login
> (http://site/users/user) it's possible to find existent logins of the users
> at site (i.e. to enumerate logins). If shows "Access denied" - then such
> login exists, and if "Page not found" - then no.
>
> At request to pages for contact with users (http://site/user/1/contact)
> login of the user shows (i.e. it's possible to enumerate logins). The attack
> is possible to conduct only for logged in users and it'll work only if
> attacked user turned on the option "Personal contact form" in his profile.
>
> ------------
> Timeline:
> ------------
>
> 2010.12.15 - announced at my site.
> 2010.12.16 - informed developers.
> 2011.02.17 - disclosed at my site.
>
> I mentioned about these vulnerabilities at my site
> (http://websecurity.com.ua/4763/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAk1ezF8ACgkQkSlsbLsN1gA3KAb9GAwPgHQPFrmPSam+i9/BDIm0
jiR7Yxx0A9ubv3xvQAyz+cVIvcXEXVE040PirkpcnC6lY4ZXWCdvzUiYVrkarlJC
y6CZ8WVw8xsnjxZb382wHUE00SQF4rylAv4OP0WYDDUqjdEPA+CLxKfaO/LtrmIB
b3QNPEkJhrxNnW6nHc+JeqAG6Ukz+0zpKen+Wi1IPaOR1XGMaiak7IjSdN91u/XV
MHlOKyOr1NLEOMze2+rH8PexbrWAXuWyj74F+2lVOeiiD95ZY3CpnIVKJGb6G79h
EuSuV/+JZ/Idj7pWIO4=
=pZNB
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/