Well, just playing devil's advocate here, mind you, I think much
of the irritation from MustLive's postings comes from the
following three reasons:
1.) MustLive is primarily a web-application specialist (for the
sake of argument)
2.) The vulnerabilities he finds are of a class of
vulnerabilities that are most common in his field. (Consider:
someone searching for vulnerabilities in internet services
directly and doing the binary analysis will primarily be finding
buffer or stack overflows, right? In web security, XSS and SQL
injection (as well as others I'm undoubtedly forgetting -- I am
*NOT* counting "not using a CAPTCHA" here, see next item) are
the most common vulnerabilities, given the lack of binary code
to overwrite)
3.) Every so often he posts a vulnerability of questionable risk
in the form of "anti-automation" which is essentially a fancy
way of saying "ha ha they don't use CAPTCHA." I don't consider
that a vulnerability so much as an opening for annoyance; I
suppose your mileage may vary.
My guess is that there's a thought that web apps are far easier
to crack at than binaries, so vulnerabilities are easier to
find, therefore don't waste time finding something that's
"useless." That may be, in some cases, but sometimes a
vulnerability in the web app destroys the entire chain, so to
speak.
Thoughts?
-Zach
(P.S. Still just playing devil's advocate; sometimes they get to
annoy the crap out of me too.)
It's either he floods f-d with his "vulnerabilities" or he
has to go out
in the real world to farm dirt for export to the West.
fucking *two days*? Is that even enough time for the vendor
to acknowledge?
Hello list!
I want to warn you about Insufficient Anti-automation
vulnerability in
reCAPTCHA for Drupal.
In project MoBiC in 2007 I already wrote about bypassing of
reCaptcha for
Drupal (
http://websecurity.com.ua/1505/). This is new method
of bypassing
reCaptcha for Drupal.
-------------------------
Affected products:
-------------------------
Vulnerable are all versions of reCAPTCHA plugin for Captcha
module versions
before 6.x-2.3 and 7.x-1.0.
----------
Details:
----------
Insufficient Anti-automation (WASC-21):
In different forms in Drupal the vulnerable captcha-plugin
reCAPTCHA is
using. Drupal's Captcha module is vulnerable itself, so
besides reCAPTCHA
other captcha-plugins also can be vulnerable (at that this
exploit is a
little different from exploit for default Captcha module for
Drupal).
For bypassing of captcha it's needed to use correct value of
captcha_sid, at
that it's possible to not answer at captcha (captcha_response)
or set any
answer. This method of captcha bypass is described in my
project Month of
Bugs in Captchas (
http://websecurity.com.ua/1498/). Attack is
possible while
this captcha_sid value is active.
Vulnerabilities exist on pages with forms:
http://site/contact,
http://site/user/1/contact,
http://site/user/password and
http://site/user/register. Other forms where reCAPTCHA is
using also will be
vulnerable.
Exploit:
http://websecurity.com.ua/uploads/2011/Drupal%20reCAPTCHA%20bypass.html
------------
Timeline:
------------
2010.12.11 - announced at my site.
2010.12.14 - informed reCAPTCHA developers.
2010.12.14 - informed Google (reCAPTCHA owner).
2011.02.16 - disclosed at my site.
I mentioned about this vulnerability at my site
(
http://websecurity.com.ua/4752/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
http://secunia.com/