Bugtraq mailing list archives
Re: Vulnerabilities in Dunia Soccer
From: Susan Bradley <sbradcpa () pacbell net>
Date: Thu, 08 Apr 2010 12:05:21 -0700
Timeline: 17.03.2010 - found vulnerabilities. 30.03.2010 - disclosed at my site. 31.03.2010 - informed developers. -----------------------------Pardon me, but you disclosed it at your site before you informed the developers? I don't even know what Dunia soccer is but how about you give vendors a chance to make good?
Is it a vendor site that has information or is this a informational forum/sale of soccer stuff site that has a buggy captcha that makes the server admin wonder what is chewing up the CPU and why spam is still making it to the site?
The vulnerability ...or rather the bug is in the captcha code, this is just a site using it, right?
But really, for this type of bug do you really need to be trying to "shame" someone into fixing it or just informing the site that there's a page that is sucking CPU cycles and able to bypass the captcha to post spam?
Why not give the admin of the site a chance? MustLive wrote:
Hello Bugtraq! I want to warn you about security vulnerabilities in system Dunia Soccer. ----------------------------- Advisory: Vulnerabilities in Dunia Soccer ----------------------------- URL: http://websecurity.com.ua/4083/ ----------------------------- Affected products: all versions of Dunia Soccer. ----------------------------- Timeline: 17.03.2010 - found vulnerabilities. 30.03.2010 - disclosed at my site. 31.03.2010 - informed developers. ----------------------------- Details: These are Insufficient Anti-automation and Denial of Service vulnerabilities.The vulnerabilities exist in captcha script CaptchaSecurityImages.php, whichis using in this system. I already reported about vulnerabilities in CaptchaSecurityImages (http://websecurity.com.ua/4043/). Insufficient Anti-automation:http://site/class/captcha/CaptchaSecurityImages.php?width=150&height=100&characters=2Captcha bypass is possible as via half-automated or automated (with using of OCR) methods, which were mentioned before (http://websecurity.com.ua/4043/),as with using of session reusing with constant captcha bypass method(http://websecurity.com.ua/1551/), which was described in project Month ofBugs in Captchas. DoS:http://site/class/captcha/CaptchaSecurityImages.php?width=1000&height=9000With setting of large values of width and height it's possible to create large load at the server. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
Current thread:
- Vulnerabilities in Dunia Soccer MustLive (Apr 08)
- Re: Vulnerabilities in Dunia Soccer Susan Bradley (Apr 09)
- Re: Vulnerabilities in Dunia Soccer MustLive (Apr 09)
- Re: Vulnerabilities in Dunia Soccer Susan Bradley (Apr 09)
- Re: Vulnerabilities in Dunia Soccer MustLive (Apr 09)
- Re: Vulnerabilities in Dunia Soccer Susan Bradley (Apr 09)