[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Multiple vulnerabilities in MyBB
- To: MustLive <mustlive@xxxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Multiple vulnerabilities in MyBB
- From: Andrew Farmer <andfarm@xxxxxxxxx>
- Date: Sat, 23 Apr 2011 12:32:56 -0700
On 2011-04-22, at 09:21, MustLive wrote:
> Information Leakage (WASC-13):
>
> Logins are names of the users at the forum (and so it's possible to reveal
> logins at forum's pages).
You're kidding, right?
Revealing the names of forum users is practically core functionality. There's
no expectation whatsoever that they be kept secret - they're displayed all over
the site, and a member list (giving you the ability to download ALL USER NAMES
ON THE FORUM OMG) is enabled by default.
> Insufficient Anti-automation (WASC-21):
>
> http://site/member.php?action=activate&uid=1
>
> http://site/member.php?action=lostpw
>
> These functionalities have no protection from automated attacks (captcha).
The first one requires an activation code sent by email. I suppose you could
*try* to brute-force it, but you'd probably have better luck brute-forcing the
password on the email address you sent the activation to.
The second one... well, I suppose you could use it to try to determine whether
email addresses belong to anyone on the forum, or send annoying password reset
emails, but adding a CAPTCHA wouldn't really change that much.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/