[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: Vulnerability in CB Captcha for Joomla and Mambo

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Re: Vulnerability in CB Captcha for Joomla and Mambo
From: none@xxxxxxxxx
Date: Mon, 19 Apr 2010 17:38:20 -0600

I am 100% cretin that this is a vulnerability.   The exact problem is "Client 
Side Trust" in that you are expecting the client to keep its state over a 
security system (your captcha).   This is exploitable,  a bot can just grab a 
new session with each request.  You should be using a sql database to keep 
track of offenders based on their $_SERVER['REMOTE_ADDR'],  and nothing else. 

Further more if you build security systems you MUST be responsible for when 
they end up on bugtraq.

Prev by Date: [security bulletin] HPSBUX02517 SSRT100058 rev.2 - HP-UX Running OpenSSL, Remote Unauthorized Information Disclosure, Unauthorized Data Modification, Denial of Service (DoS)
Next by Date: [security bulletin] HPSBUX02518 SSRT100051 rev.1 - HP-UX, Local Denial of Service (DoS)
Previous by thread: Re: Vulnerability in CB Captcha for Joomla and Mambo
Next by thread: Re: Vulnerability in CB Captcha for Joomla and Mambo
Index(es):
- Date
- Thread