Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BF, CSRF, and IAA vulnerabilities in websecurity.com.ua

From: Benji <me () b3nji com>
Date: Tue, 1 Jan 2013 19:51:36 +0000
I was asking for your opinion.


On Tue, Jan 1, 2013 at 7:31 PM, some one <s3cret.squirell () gmail com> wrote:


If you reread what i posted you will see that i do not give my opinion on
the quality of his posts. I will keep that to myself, I just state that its
better than dudes (and your) troll posts.

Regards
On Jan 1, 2013 3:04 PM, "Benji" <me () b3nji com> wrote:


So you would say, that you find the things he posts "of interest"?

Please expand on how and why anti automation bugs in unknown cms's are
"of interest"?


On Mon, Dec 31, 2012 at 11:58 PM, some one <s3cret.squirell () gmail com>wrote:


If you do not like or find of interest what the guy posts is it not
easier to just press delete or filter him out rather than try to make fun
of him?

Give the dude a break man, hes submitting more things of interest than
you are and you just make yourself sound bitter and twisted.

Its new year man, go out and drink a beer or eat some fireworks
On Dec 31, 2012 5:17 PM, "Julius Kivimäki" <julius.kivimaki () gmail com>
wrote:


Hello list!

I want to warn you about multiple extremely severe vulnerabilities in
websecurity.com.ua.

These are Brute Force and Insufficient Anti-automation vulnerabilities
in websecurity.com.ua. These vulnerability is very serious and could
affect million of people.

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of websecurity.com.ua.

----------
Details:
----------

Brute Force (WASC-11):

In ftp server (websecurity.com.ua:21) there is no protection from
Brute Force
attacks.

Cross-Site Request Forgery (WASC-09):

Lack of captcha in login form (http://websecurity.com.ua:21/) can be
used for
different attacks - for CSRF-attack to login into account (remote login
- to
conduct attacks on vulnerabilities inside of account), for automated
entering into account, for phishing and other automated attacks. Which
you
can read about in the article "Attacks on unprotected login forms"
(
http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html
).

Insufficient Anti-automation (WASC-21):

In login form there is no protection against automated request, which
allow
to picking up logins in automated way by attacking on login function.
------------
Timeline:
------------

2012.06.28 - announced at my site about websecurity.com.ua.
2012.06.28 - informed developers about the first part of
vulnerabilities in
websecurity.com.ua.
2012.06.30 - informed developers about the second part of
vulnerabilities in
websecurity.com.ua.
2012.07.26 - announced at my site about websecurity.com.ua.
2012.07.28 - informed developers about vulnerabilities in
websecurity.com.ua
and reminded about previous two letters I had sent to them with carrier
pigeons.
2012.07.28-2012.10.31 - multiple attempts to contact the owners of
websecurity.com.ua
were ignored by the owners.
2012.11.02 - developers responded "fuck off and kill urself irl!".
2012.12.31 - disclosed on the list

Best wishes & regards,
MustLive
Security master extraordinaire, master sysadmin
http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: