Full Disclosure mailing list archives
Re: Brute Force and Abuse of Functionality vulnerabilities in Drupal
From: Justin Klein Keane <justin () madirish net>
Date: Fri, 18 Feb 2011 14:45:46 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MustLive: you're a little late to this party, see http://www.madirish.net/?article=443, published Dec 2009. The other issues you mention may already be disclosed. The Drupal Login Security module (http://drupal.org/project/login_security) is an effective mitigation for some of these problems. Do you do any research before you publish these advisories? Justin Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey On 02/18/2011 02:30 PM, MustLive wrote:
Hello list! I want to warn you about Brute Force and Abuse of Functionality vulnerabilities in Drupal. ------------------------- Affected products: ------------------------- Vulnerable are Drupal 6.20 and previous versions. ---------- Details: ---------- Brute Force (WASC-11): In login form (http://site/user/) there is no reliable protection against brute force attacks. There is no captcha in Drupal itself, and existent Captcha module (http://websecurity.com.ua/4749/) is vulnerable (and also all plugins to it, such as reCAPTCHA (http://websecurity.com.ua/4752/). Abuse of Functionality (WASC-42): At contact page (http://site/contact) and at page for contact with user (http://site/user/1/contact) there is a possibility to send spam from the site to arbitrary e-mails via function "Send yourself a copy". And with using of Insufficient Anti-automation vulnerability it's possible to send spam from the site in automated manner on a large scale. The attack with using of this function is possible only for logged in users. For automated sending of spam it's needed to use before-mentioned Insufficient Anti-automation vulnerabilities - there is no captcha in Drupal itself, and existent captcha-module is vulnerable (and also all plugins to it, such as reCAPTCHA). About such Abuse of Functionality vulnerabilities I wrote in article Sending spam via sites and creating spam-botnets (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html). Abuse of Functionality (WASC-42): At request to specific pages of the site with setting login (http://site/users/user) it's possible to find existent logins of the users at site (i.e. to enumerate logins). If shows "Access denied" - then such login exists, and if "Page not found" - then no. At request to pages for contact with users (http://site/user/1/contact) login of the user shows (i.e. it's possible to enumerate logins). The attack is possible to conduct only for logged in users and it'll work only if attacked user turned on the option "Personal contact form" in his profile. ------------ Timeline: ------------ 2010.12.15 - announced at my site. 2010.12.16 - informed developers. 2011.02.17 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4763/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAk1ezF8ACgkQkSlsbLsN1gA3KAb9GAwPgHQPFrmPSam+i9/BDIm0 jiR7Yxx0A9ubv3xvQAyz+cVIvcXEXVE040PirkpcnC6lY4ZXWCdvzUiYVrkarlJC y6CZ8WVw8xsnjxZb382wHUE00SQF4rylAv4OP0WYDDUqjdEPA+CLxKfaO/LtrmIB b3QNPEkJhrxNnW6nHc+JeqAG6Ukz+0zpKen+Wi1IPaOR1XGMaiak7IjSdN91u/XV MHlOKyOr1NLEOMze2+rH8PexbrWAXuWyj74F+2lVOeiiD95ZY3CpnIVKJGb6G79h EuSuV/+JZ/Idj7pWIO4= =pZNB -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Brute Force and Abuse of Functionality vulnerabilities in Drupal MustLive (Feb 18)
- Re: Brute Force and Abuse of Functionality vulnerabilities in Drupal Justin Klein Keane (Feb 18)