Full Disclosure mailing list archives
Re: Vulnerability in reCAPTCHA for Drupal
From: Charles Morris <cmorris () cs odu edu>
Date: Fri, 18 Feb 2011 10:07:26 -0500
Michele, Granted I don't know or really care about drupal, and I'm not just trying to defend MustLive, who just seems to be a guy trying to get ahead in the world, even if he's a little misguided; but what really gets to me is when people dismiss issues like that. Not to mention you are assuming that the defaults are never changed. full path disclosure IS an information disclosure, unless the code is designed to disclose it's filesystem path. Any information gathered by unorthodox methods from an application that wasn't designed to do so, is an information disclosure. Information disclosure IS a vulnerability. Even if an attack vector isn't known, things like filesystem knowledge, internal varialbe names, error messages, username => id mapping, etc can still be used from a social engineering perspective. It is my personal belief that all vulnerabilities should be patched regardless of existence of a known attack vector or exploit. If an application does not behave exactly as it's intended in all circumstances: patch || gutmann() And, to MustLive; I hope that debugging option or whatever is turned on by default- otherwise the quoted issue is more of a misconfiguration.... and yes two days is a completely irrational acknowledgment duration cap ... :( ... I've had vendors take weeks to acknowledge an issue.. we have to gently hold the hand of vendors and teach them how computer work.. I personally suggest putting a proper disclosure policy on your website and then stick to it. On 2/17/11, Michele Orru <antisnatchor () gmail com> wrote:
If you thing that some statements from MustLive like the following: " Full path disclosure (WASC-13): At POST request to the page with form with using of Cyrillic char in parameter op, the error message is showing, which consists the full path on the system. Vulnerabilities exist at pages:http://site/user/,http://site/user/1/edit, http://site/user/password,http://site/user/register,http://site/contact, http://site/user/1/contact. Other pages which have forms also can be vulnerable. Exploit: http://websecurity.com.ua/uploads/2011/Drupal%20Full%20path%20disclosure.html As noted Drupal developers, these vulnerabilities appear due to turned on debugging option in administrator panel. So for preventing of these and other FPD at the site it's needed to turn off this option. " are not hilarious, then you're a really noob. I mean, every Drupal user knows that the default path to register a new user is user/register, or that the default admin account is reachable at user/1, or that the contact form is at the contact URI. These are not vulnerabilities, and this is one of the many reasons why almost no-one in FD read his "advisories" and flag his address as spam :) antisnatchor------------------------------------------------------------------------
...
MustLive <mailto:mustlive () websecurity com ua> February 17, 2011 6:18 PM Hello list! I want to warn you about Insufficient Anti-automation vulnerability in reCAPTCHA for Drupal. In project MoBiC in 2007 I already wrote about bypassing of reCaptcha for Drupal (http://websecurity.com.ua/1505/). This is new method of bypassing reCaptcha for Drupal. ------------------------- Affected products: ------------------------- Vulnerable are all versions of reCAPTCHA plugin for Captcha module versions before 6.x-2.3 and 7.x-1.0. ---------- Details: ---------- Insufficient Anti-automation (WASC-21): In different forms in Drupal the vulnerable captcha-plugin reCAPTCHA is using. Drupal's Captcha module is vulnerable itself, so besides reCAPTCHA other captcha-plugins also can be vulnerable (at that this exploit is a little different from exploit for default Captcha module for Drupal). For bypassing of captcha it's needed to use correct value of captcha_sid, at that it's possible to not answer at captcha (captcha_response) or set any answer. This method of captcha bypass is described in my project Month of Bugs in Captchas (http://websecurity.com.ua/1498/). Attack is possible while this captcha_sid value is active. Vulnerabilities exist on pages with forms: http://site/contact, http://site/user/1/contact, http://site/user/password and http://site/user/register. Other forms where reCAPTCHA is using also will be vulnerable. Exploit: http://websecurity.com.ua/uploads/2011/Drupal%20reCAPTCHA%20bypass.html ------------ Timeline: ------------ 2010.12.11 - announced at my site. 2010.12.14 - informed reCAPTCHA developers. 2010.12.14 - informed Google (reCAPTCHA owner). 2011.02.16 - disclosed at my site. I mentioned about this vulnerability at my site (http://websecurity.com.ua/4752/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerability in reCAPTCHA for Drupal MustLive (Feb 17)
- Re: Vulnerability in reCAPTCHA for Drupal Zach C. (Feb 17)
- Re: Vulnerability in reCAPTCHA for Drupal Eyeballing Weev (Feb 17)
- Re: Vulnerability in reCAPTCHA for Drupal Zach C. (Feb 17)
- Re: Vulnerability in reCAPTCHA for Drupal Michele Orru (Feb 17)
- Re: Vulnerability in reCAPTCHA for Drupal Valdis . Kletnieks (Feb 17)
- Re: Vulnerability in reCAPTCHA for Drupal Charles Morris (Feb 18)
- Message not available
- Message not available
- Re: Vulnerability in reCAPTCHA for Drupal Conor (Feb 18)
- Re: Vulnerability in reCAPTCHA for Drupal Zach C. (Feb 18)
- Re: Vulnerability in reCAPTCHA for Drupal Eyeballing Weev (Feb 17)
- Re: Vulnerability in reCAPTCHA for Drupal Zach C. (Feb 17)
- Re: Vulnerability in reCAPTCHA for Drupal Valdis . Kletnieks (Feb 18)
- Re: Vulnerability in reCAPTCHA for Drupal Charles Morris (Feb 18)
- Re: Vulnerability in reCAPTCHA for Drupal Ulisses Montenegro (Feb 19)