Full Disclosure mailing list archives
Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC
From: Michele Orru <antisnatchor () gmail com>
Date: Tue, 15 Feb 2011 17:57:03 +0100
On Tue, Feb 15, 2011 at 12:25 AM, Eyeballing Weev <eyeballing.weev () gmail com> wrote:
On Mon, Feb 14, 2011 at 4:54 PM, MustLive <mustlive () websecurity com ua> wrote:Hello Michele! Few days ago I saw your advisory about Drupal's captcha. It's interesting advisory, but I have one note concerning it - your research is very close to mine ;-) (it concerns similar holes which I found before you).Quit being sexist. Is this because of a woman disclosed this?
What the hell :) I'm a man mate. Michele is like Michael. antisnatchor
Second, in your PoC (bruteforce exploit for Drupal) you're talking about Brute Force hole. But in title you said about insecure Captcha (which is Insufficient Anti-automation). These are different classes of vulnerabilities, like in WASC TC - Brute Force (WASC-11) and Insufficient Anti-automation (WASC-21). So your title is not fully correct.Again, more sexism by you.All these holes in Drupal (from my 4 advisories concerning Drupal) will be disclosed soon. It was planned for February, so at this week I begun disclosing these holes. So, Michele, good luck in your security researches.Good luck to anyone reading your Engrish ridden "advisories" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC MustLive (Feb 14)
- Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC Eyeballing Weev (Feb 14)
- Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC Michele Orru (Feb 15)
- Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC Eyeballing Weev (Feb 15)
- Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC Michele Orru (Feb 15)
- Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC Michele Orru (Feb 15)
- Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC Jacqui Caren-home (Feb 18)
- Re: [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC Eyeballing Weev (Feb 14)