[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Vulnerability in reCAPTCHA for Drupal
- To: "Zach C." <fxchip@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Vulnerability in reCAPTCHA for Drupal
- From: Michele Orru <antisnatchor@xxxxxxxxx>
- Date: Thu, 17 Feb 2011 21:39:49 +0100
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
If you thing that some statements from MustLive like the following:<br>
<br>
"<br>
<pre wrap="">Full path disclosure (WASC-13):
At POST request to the page with form with using of Cyrillic char in
parameter op, the error message is showing, which consists the full path on
the system.
Vulnerabilities exist at pages: <a class="moz-txt-link-freetext"
href="http://site/user/";>http://site/user/</a>, <a
class="moz-txt-link-freetext"
href="http://site/user/1/edit";>http://site/user/1/edit</a>,
<a class="moz-txt-link-freetext"
href="http://site/user/password";>http://site/user/password</a>, <a
class="moz-txt-link-freetext"
href="http://site/user/register";>http://site/user/register</a>, <a
class="moz-txt-link-freetext"
href="http://site/contact";>http://site/contact</a>,
<a class="moz-txt-link-freetext"
href="http://site/user/1/contact";>http://site/user/1/contact</a>. Other pages
which have forms also can be
vulnerable.
Exploit:
<a class="moz-txt-link-freetext"
href="http://websecurity.com.ua/uploads/2011/Drupal%20Full%20path%20disclosure.html";>http://websecurity.com.ua/uploads/2011/Drupal%20Full%20path%20disclosure.html</a>
As noted Drupal developers, these vulnerabilities appear due to turned on
debugging option in administrator panel. So for preventing of these and
other FPD at the site it's needed to turn off this option.
</pre>
"<br>
are not hilarious, then you're a really noob.<br>
I mean, every Drupal user knows that the default path to register a
new user is user/register,<br>
or that the default admin account is reachable at user/1, or that
the contact form is at the contact URI.<br>
<br>
These are not vulnerabilities, and this is one of the many reasons
why almost no-one in FD<br>
read his "advisories" and flag his address as spam :)<br>
<br>
antisnatchor<br>
<blockquote style="border: 0px none;"
cite="mid:AANLkTik2NKK-ED3OVyz42kx7mO5rar0pu2cN7p0Uiic9@xxxxxxxxxxxxxx"
type="cite">
<div style="margin-left: 40px;">
<hr style="border-width: 1px 0pt 0pt; border-style: dotted none
none; border-color: rgb(181, 181, 181) -moz-use-text-color
-moz-use-text-color; height: 1px; margin: 0pt;"
class="__pbConvHr"><br>
</div>
<table style="padding-top: 5px;" class="__pbConvTable">
<tbody>
<tr>
<td valign="top"><img
src="cid:part1.08080901.09010004@gmail.com"
photoaddress="fxchip@xxxxxxxxx" photoname="Zach C."
name="compose-unknown-contact.jpg" height="29px"
width="29px"></td>
<td style="padding-left: 5px;" valign="top"><a
moz-do-not-send="true" href="mailto:fxchip@xxxxxxxxx";
style="color: rgb(0, 136, 204) ! important;
text-decoration: none ! important;">Zach C.</a><br>
<font color="#888888">February 17, 2011 7:29 PM</font></td>
</tr>
</tbody>
</table>
<div style="color: rgb(136, 136, 136); margin-left: 40px;"
__pbrmquotes="true" class="__pbConvBody"><br>
Well, just playing devil's advocate here, mind you, I think much
of the irritation from MustLive's postings comes from the
following three reasons:<br>
<br>
1.) MustLive is primarily a web-application specialist (for the
sake of argument)<br>
2.) The vulnerabilities he finds are of a class of
vulnerabilities that are most common in his field. (Consider:
someone searching for vulnerabilities in internet services
directly and doing the binary analysis will primarily be finding
buffer or stack overflows, right? In web security, XSS and SQL
injection (as well as others I'm undoubtedly forgetting -- I am
*NOT* counting "not using a CAPTCHA" here, see next item) are
the most common vulnerabilities, given the lack of binary code
to overwrite)<br>
3.) Every so often he posts a vulnerability of questionable risk
in the form of "anti-automation" which is essentially a fancy
way of saying "ha ha they don't use CAPTCHA." I don't consider
that a vulnerability so much as an opening for annoyance; I
suppose your mileage may vary. <br>
<br>
My guess is that there's a thought that web apps are far easier
to crack at than binaries, so vulnerabilities are easier to
find, therefore don't waste time finding something that's
"useless." That may be, in some cases, but sometimes a
vulnerability in the web app destroys the entire chain, so to
speak. <br>
<br>
Thoughts?<br>
<br>
-Zach<br>
<br>
(P.S. Still just playing devil's advocate; sometimes they get to
annoy the crap out of me too.)<br>
<br>
<br>
<br>
<br>
<div>_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a class="moz-txt-link-freetext"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a class="moz-txt-link-freetext"
href="http://secunia.com/";>http://secunia.com/</a></div>
<hr style="border-width: 1px 0pt 0pt; border-style: dotted none
none; border-color: rgb(181, 181, 181) -moz-use-text-color
-moz-use-text-color; height: 1px; margin: 15px 0pt 0pt;"
class="__pbConvHr"><br>
</div>
<table style="padding-top: 5px;" class="__pbConvTable">
<tbody>
<tr>
<td valign="top"><img
src="cid:part1.08080901.09010004@gmail.com"
photoaddress="eyeballing.weev@xxxxxxxxx"
photoname="Eyeballing Weev"
name="compose-unknown-contact.jpg" height="29px"
width="29px"></td>
<td style="padding-left: 5px;" valign="top"><a
moz-do-not-send="true"
href="mailto:eyeballing.weev@xxxxxxxxx"; style="color:
rgb(0, 136, 204) ! important; text-decoration: none !
important;">Eyeballing Weev</a><br>
<font color="#888888">February 17, 2011 6:57 PM</font></td>
</tr>
</tbody>
</table>
<div style="color: rgb(136, 136, 136); margin-left: 40px;"
__pbrmquotes="true" class="__pbConvBody"><br>
<div>It's either he floods f-d with his "vulnerabilities" or he
has to go out <br>
in the real world to farm dirt for export to the West.<br>
</div>
<div><!----><br>
_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a class="moz-txt-link-freetext"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a class="moz-txt-link-freetext"
href="http://secunia.com/";>http://secunia.com/</a><br>
</div>
<hr style="border-width: 1px 0pt 0pt; border-style: dotted none
none; border-color: rgb(181, 181, 181) -moz-use-text-color
-moz-use-text-color; height: 1px; margin: 15px 0pt 0pt;"
class="__pbConvHr"><br>
</div>
<table style="padding-top: 5px;" class="__pbConvTable">
<tbody>
<tr>
<td valign="top"><img
src="cid:part1.08080901.09010004@gmail.com"
photoaddress="fxchip@xxxxxxxxx" photoname="Zach C."
name="compose-unknown-contact.jpg" height="29px"
width="29px"></td>
<td style="padding-left: 5px;" valign="top"><a
moz-do-not-send="true" href="mailto:fxchip@xxxxxxxxx";
style="color: rgb(0, 136, 204) ! important;
text-decoration: none ! important;">Zach C.</a><br>
<font color="#888888">February 17, 2011 6:54 PM</font></td>
</tr>
</tbody>
</table>
<div style="color: rgb(136, 136, 136); margin-left: 40px;"
__pbrmquotes="true" class="__pbConvBody"><br>
<p>fucking *two days*? Is that even enough time for the vendor
to acknowledge?</p>
<div>_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a class="moz-txt-link-freetext"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a class="moz-txt-link-freetext"
href="http://secunia.com/";>http://secunia.com/</a></div>
<hr style="border-width: 1px 0pt 0pt; border-style: dotted none
none; border-color: rgb(181, 181, 181) -moz-use-text-color
-moz-use-text-color; height: 1px; margin: 15px 0pt 0pt;"
class="__pbConvHr"><br>
</div>
<table style="padding-top: 5px;" class="__pbConvTable">
<tbody>
<tr>
<td valign="top"><img
src="cid:part1.08080901.09010004@gmail.com"
photoaddress="mustlive@xxxxxxxxxxxxxxxxxx"
photoname="MustLive" name="compose-unknown-contact.jpg"
height="29px" width="29px"></td>
<td style="padding-left: 5px;" valign="top"><a
moz-do-not-send="true"
href="mailto:mustlive@xxxxxxxxxxxxxxxxxx"; style="color:
rgb(0, 136, 204) ! important; text-decoration: none !
important;">MustLive</a><br>
<font color="#888888">February 17, 2011 6:18 PM</font></td>
</tr>
</tbody>
</table>
<div style="color: rgb(136, 136, 136); margin-left: 40px;"
__pbrmquotes="true" class="__pbConvBody"><br>
<div>Hello list!<br>
<br>
I want to warn you about Insufficient Anti-automation
vulnerability in<br>
reCAPTCHA for Drupal.<br>
<br>
In project MoBiC in 2007 I already wrote about bypassing of
reCaptcha for<br>
Drupal (<a class="moz-txt-link-freetext"
href="http://websecurity.com.ua/1505/";>http://websecurity.com.ua/1505/</a>).
This is new method
of bypassing<br>
reCaptcha for Drupal.<br>
<br>
-------------------------<br>
Affected products:<br>
-------------------------<br>
<br>
Vulnerable are all versions of reCAPTCHA plugin for Captcha
module versions<br>
before 6.x-2.3 and 7.x-1.0.<br>
<br>
----------<br>
Details:<br>
----------<br>
<br>
Insufficient Anti-automation (WASC-21):<br>
<br>
In different forms in Drupal the vulnerable captcha-plugin
reCAPTCHA is<br>
using. Drupal's Captcha module is vulnerable itself, so
besides reCAPTCHA<br>
other captcha-plugins also can be vulnerable (at that this
exploit is a<br>
little different from exploit for default Captcha module for
Drupal).<br>
<br>
For bypassing of captcha it's needed to use correct value of
captcha_sid, at<br>
that it's possible to not answer at captcha (captcha_response)
or set any<br>
answer. This method of captcha bypass is described in my
project Month of<br>
Bugs in Captchas (<a class="moz-txt-link-freetext"
href="http://websecurity.com.ua/1498/";>http://websecurity.com.ua/1498/</a>).
Attack is
possible while<br>
this captcha_sid value is active.<br>
<br>
Vulnerabilities exist on pages with forms:
<a class="moz-txt-link-freetext"
href="http://site/contact";>http://site/contact</a>,<br>
<a class="moz-txt-link-freetext"
href="http://site/user/1/contact";>http://site/user/1/contact</a>, <a
class="moz-txt-link-freetext"
href="http://site/user/password";>http://site/user/password</a> and<br>
<a class="moz-txt-link-freetext"
href="http://site/user/register";>http://site/user/register</a>. Other forms
where reCAPTCHA is
using also will be<br>
vulnerable.<br>
<br>
Exploit:<br>
<br>
<a class="moz-txt-link-freetext"
href="http://websecurity.com.ua/uploads/2011/Drupal%20reCAPTCHA%20bypass.html";>http://websecurity.com.ua/uploads/2011/Drupal%20reCAPTCHA%20bypass.html</a><br>
<br>
------------<br>
Timeline:<br>
------------<br>
<br>
2010.12.11 - announced at my site.<br>
2010.12.14 - informed reCAPTCHA developers.<br>
2010.12.14 - informed Google (reCAPTCHA owner).<br>
2011.02.16 - disclosed at my site.<br>
<br>
I mentioned about this vulnerability at my site<br>
(<a class="moz-txt-link-freetext"
href="http://websecurity.com.ua/4752/";>http://websecurity.com.ua/4752/</a>).<br>
<br>
Best wishes & regards,<br>
MustLive<br>
Administrator of Websecurity web site<br>
<a class="moz-txt-link-freetext"
href="http://websecurity.com.ua";>http://websecurity.com.ua</a><br>
<br>
<br>
_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a class="moz-txt-link-freetext"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a class="moz-txt-link-freetext"
href="http://secunia.com/";>http://secunia.com/</a><br>
</div>
</div>
</blockquote>
</body>
</html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/