[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Multiple vulnerabilities in MyBB



I had another question too -- this one a bit more general. With services
like deathbycaptcha, could CAPTCHA itself now be considered insufficient
anti-automation, and how would you address that?

On Apr 25, 2011 11:59 AM, "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx> wrote:
> Hello Andrew!
>
>> You're kidding, right?
>
> No, I'm serious - as I'm always serious when talk about vulnerabilities.
>
>> Revealing the names of forum users is practically core functionality.
>
> Of course it's core functionality. But the hole, as I exactly wrote in my
> advisory, is in revealing of logins. So issue is laying in using logins as
a
> names, so in result the showing names at different parts of the forum is
> leading to leakage of logins. It's quite widespread in forum engines and
> other webapps to disclose their logins (via different Information Leakage
> and Abuse of Functionality holes) as nothing important. Some CMS like
Drupal
> even have official answer concerning this issue
> (http://drupal.org/node/1004778). From my side, I've informed Drupal
> developers about 8 login leakage holes which I found (in Drupal 6, new 7
> version must have them all, because of developers' ignoring of this issue)
> and gave them recommendations why and how to fix such holes to not reveal
> logins and to preserve Drupal's philosophy.
>
> Many forums (almost all) have similar login leakage vulnerabilities. For
> example IPB and Vbulletin, which developers I've informed about them in
> 2009. Like I informed many other developers and admins about such holes,
> beside developers of MyBB (which ignored to fix them, as many like to do).
>
> I saw a lot of such vulnerabilities for more then six years. And in 2008 I
> started to write about them at my site (like about holes in WordPress),
> wrote article Enumerating logins via Abuse of Functionality
vulnerabilities
> (http://websecurity.com.ua/2840/) and starting from 2009 I've begun
actively
> fighting with them - by informing many admins and developers about such
> vulnerabilities. In my practice most web developers and admins of sites
> ignored such holes, but there were those who fixed them. For example
> developers of IPB, which have such holes in IPB 1 and 2, after my
informing
> (at begging of 2009) fixed all such holes in their engine in IPB 3 (it
have
> released in summer 2009). It must be obvious why I'm using Invision Power
> Board as engine for my forum for more then 6 years.
>
>> The first one requires an activation code sent by email.
>
> This IAA hole can be used for automatic registration. Altogether with IAA
> hole at registration page. To put captcha to first or to second or to both
> of the pages - it's up to developers. But the protection must be reliable.
>
> Plus they have login leakage in this functionality. I've informed
developers
> of MyBB about all (which I found at brief looking at this engine) login
> leakage vulnerabilities.
>
>> The second one
>
> This functionality with IAA allows spammers to identify valid e-mails of
> existing forum users and also allows to spam registered users from the
forum
> with "password recovery" letters. Both of which can be easily mitigated by
> installing captcha at this functionality.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message -----
> From: "Andrew Farmer" <andfarm@xxxxxxxxx>
> To: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
> Cc: "Full Disclosure" <full-disclosure@xxxxxxxxxxxxxxxxx>
> Sent: Saturday, April 23, 2011 10:32 PM
> Subject: Re: [Full-disclosure] Multiple vulnerabilities in MyBB
>
>
> On 2011-04-22, at 09:21, MustLive wrote:
>> Information Leakage (WASC-13):
>>
>> Logins are names of the users at the forum (and so it's possible to
reveal
>> logins at forum's pages).
>
> You're kidding, right?
>
> Revealing the names of forum users is practically core functionality.
> There's no expectation whatsoever that they be kept secret - they're
> displayed all over the site, and a member list (giving you the ability to
> download ALL USER NAMES ON THE FORUM OMG) is enabled by default.
>
>
>> Insufficient Anti-automation (WASC-21):
>>
>> http://site/member.php?action=activate&uid=1
>>
>> http://site/member.php?action=lostpw
>>
>> These functionalities have no protection from automated attacks
(captcha).
>
> The first one requires an activation code sent by email. I suppose you
could
> *try* to brute-force it, but you'd probably have better luck brute-forcing
> the password on the email address you sent the activation to.
>
> The second one... well, I suppose you could use it to try to determine
> whether email addresses belong to anyone on the forum, or send annoying
> password reset emails, but adding a CAPTCHA wouldn't really change that
> much.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/