Архів за Листопад, 2007

MoBiC-28: IPB CAPTCHA bypass

20:23 28.11.2007

Next participant of the project is Invision Power Board captcha. Which is using at registration page. Vulnerable version is IPB 2.2.0 (and previous and possibly next versions). Forum engines also have vulnerable captchas.

Like Google said there are up to 3130000 sites in Internet on this forum engine. And including all those sites which use IPB, but have no “Powered by Invision Power Board” sign, there are potentially more millions of sites which are in risk with this insecure captcha.

This captcha is vulnerable for half-automated method. It is one of Advanced MustLive CAPTCHA bypass methods. This Insufficient Anti-automation hole I found 05.08.2007.

In half-automated method you need to prepare captchas image-code pairs beforehand (because of one-time captcha images). For bypassing you need to use new regid and reg_code values for every post. It’s not fully automated, but it’s still half-automated bypass (without using OCR, only using vulnerabilities in captcha directly). Those who don’t want to work by themselves, can use cheap work force to prepare image-code pairs or use OCR software (even for not real time recognition). If in case of personal captcha bypassing this method not too effective, then in case of using with cheap work force (or porn variant) or OCR it’s very effective method (and in this case it can be fully automated). And bad guys often use such techniques. That is why web developers need to improve their captchas which vulnerable to half-automated method - to prevent spam and other automated activity, if not OCR, then at the least work force and porn variants.

Insufficient Anti-automation:

IPB CAPTCHA bypass.html

This exploit for educational purposes only. Don’t use it for malicious purposes at any site on Invision Power Board.

You need to setup exploit to test it (set site’s URL and others data).

Moral: try to make more secure captchas.

P.S.

Also I prepared another vulnerabilities in one captcha. So wait for today’s bonus post ;-) .

Добірка уразливостей

16:34 28.11.2007

В даній добірці уразливості в веб додатках:

  • SHTTPD V1.38 server source code disclosure (деталі)
  • Fujitsu-Siemens PRIMERGY BX300 Switch Blade Information Disclosure (деталі)
  • ActiveWeb Contentserver CMS Clientside Filtering of Page Editor Content (деталі)
  • ActiveWeb Contentserver CMS Multiple Cross Site Scriptings (деталі)
  • Wap Portal Server 1.* <= Remote File Inclusion (деталі)
  • Sql injection bugs in Xoops 2.0.16 + Weblinks module (деталі)
  • Adrenalin’s ASP Chat XSS (деталі)
  • SQL-ін’єкція в 20/20 Data Shed (деталі)
  • Vulnerability in TorrentFlux 2.2 (деталі)
  • Code execution vulnerability in TorrentFlux 2.2 (деталі)
  • Обхід каталогу в Conxint FTP Server (деталі)
  • SQL-ін’єкція в WWWeb Concepts CactuShop (деталі)
  • SQL-ін’єкція в SiteXpress E-Commerce System (деталі)
  • Multiple cross-site scripting (XSS) vulnerabilities in ShopSite (деталі)
  • SQL injection vulnerability in EasyPage (деталі)

Місяць багів в Капчах: день двадцять сьомий

23:46 27.11.2007

Продовжується Місяць багів в Капчах і сьогодні я опублікував нову уразливість.

На двадцять сьомий день Місяця багів в Капчах я опублікував інформацію про дірку в Капчі internetua.com. Дана Капча вразлива до session reusing with null captcha bypass method.

Очікуємо на наступний день Month of Bugs in Captchas.

MoBiC-27: internetua.com CAPTCHA bypass

22:56 27.11.2007

Next participant of the project is captcha at internetua.com. Which is using in comments form at the site.

This captcha is vulnerable for session reusing with null captcha bypass method. This Insufficient Anti-automation hole I found 04.11.2007.

Session reusing with null captcha bypass method - it is very tricky method, which is similar to session reusing with constant captcha bypass method. For bypassing you need to send first message with captcha code and then use empty security_code value for every post (during current session). After you’ll see first captcha image, you need to turn off images, so captcha will not be regenerating and you’ll be using empty (null) captcha code many times. By the way, as I retested this hole I found that they made some changes at site, so captcha is bypassing now via session reusing with constant captcha bypass method (using not null, but the same captcha code).

Insufficient Anti-automation:

internetua.com CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.

Moral: never make such unreliable captchas.

XSS уразливість в Google

20:21 27.11.2007

Учора була вивлена Cross-Site Scripting уразливість в Google. Котра працює в Internet Explorer версії до IE6 включно. Її виявив beford, котрий раніше вже знаходив XSS уразливість в Google Polls.

Дірка знайдена в сервісі iGoogle, в модулі для додавання гаджетів на свою персональну iGoogle сторінку. Вразливим виявився параметер screenshot в xml файлі гаджетів. Молодець, beford, доволі цікава уразливість ;-) .

XSS:

http://google.com/ig/adde?moduleurl=http://beford.org/stuff/ig.xml

Дана уразливість вже виправлена Гуглем, котрий за одну добу відреагував. Я зустрічав і більш швидку реакцію в своїй практиці, але тим не менш відреагували швидко.

Добірка експлоітів

16:17 27.11.2007

В даній добірці експлоіти в веб додатках:

  • Ripe Website Manager (CMS) <= 0.8.9 Remote File Inclusion Vulns (деталі)
  • sPHPell 1.01 Multiple Remote File Inclusion Vulnerabilities (деталі)
  • XCMS 1.1 (Galerie.php) Local File Inclusion Vulnerabilities (деталі)
  • Easybe 1-2-3 Music Store (process.php) Remote SQL Injection Vuln (деталі)
  • ArcadeBuilder Game Portal Manager 1.7 Remote SQL Injection Vuln (деталі)
  • phpEventCalendar 0.2.2 (eventdisplay.php) Remote SQL Injection Exploit (деталі)
  • vbzoom 1.x (forum.php MainID) Remote SQL Injection Vulnerability (деталі)
  • PHPDirector <= 0.21 (videos.php id) Remote SQL Injection Vulnerability (деталі)
  • AV Arcade 2.1b (index.php id) Remote SQL Injection Vulnerability (деталі)
  • Call Center Software - Remote Xss Post Exploit (деталі)

Місяць багів в Капчах: день двадцять шостий

23:51 26.11.2007

Продовжується Місяць багів в Капчах і сьогодні я опублікував нові уразливості.

На двадцять шостий день Місяця багів в Капчах я опублікував інформацію про дірки в Капчі Captcha! (це плагін для WordPress). Дана Капча вразлива до Cross-Site Request Forgery, Insufficient Anti-automation та Cross-Site Scripting уразливостей.

Очікуємо на наступний день Month of Bugs in Captchas.

MoBiC-26 Bonus: XSS in Captcha!

22:48 26.11.2007

Continue our talk about last participant of the project - Captcha!. It is captcha plugin for WordPress. Vulnerable version is Captcha! 2.5d (and previous versions).

This captcha in addition to Cross-Site Request Forgery and Insufficient Anti-automation is also vulnerable for XSS (like Math Comment Spam Protection). These Cross-Site Scripting holes I found 10.11.2007.

There are four XSS holes and they are persistent XSS. Holes are at plugin options page (http://site/wp-admin/options-general.php? page=captcha\captcha.php) in parameters captcha_ttffolder, captcha_numchars, captcha_ttfrange, captcha_secret. For attacking you need to make POST request to plugin options script.

XSS:

Captcha! XSS.html

Captcha! XSS2.html

Captcha! XSS3.html

Captcha! XSS4.html

These exploits for educational purposes only. Don’t use these holes and exploits for malicious purposes.

You need to setup exploits to test them (set site’s URL and others data).

Moral: always make more secure captchas and without XSS holes.

MoBiC-26: Captcha! CAPTCHA bypass

20:25 26.11.2007

Next participant of the project is Captcha!. It is captcha plugin for WordPress. Vulnerable version is Captcha! 2.5d (and previous versions).

This is very popular captcha plugin. It’s one of recommended captcha plugins at codex.wordpress.org. So there are many thousands of sites which are in risk with this plugin.

This captcha is vulnerable for CSRF and for Null string bypass method. These Cross-Site Request Forgery and Insufficient Anti-automation holes I found 10.11.2007.

Null string bypass method - it is very tricky method. First you make CSRF attack and after that you will be able to easily bypass captcha. This captcha use one-time images, so you need to use this tricky method to bypass it. Using CSRF you set captcha_numchars option to 0. And after that you’ll send messages with empty public_key and private_key values (null strings) or without these parameters at all (similar to MoBiC-10 Bonus: another PHP-Nuke CAPTCHA bypass). And so you’ll bypass captcha and also everyone who will send messages after you. It’s social spam style :-D - one hack captcha, all spam.

CSRF + Insufficient Anti-automation:

Captcha! CSRF.html
Captcha! CAPTCHA bypass.html

This exploit for educational purposes only.

You need to setup exploit to test it (set site’s URL and others data).

Moral: never make such insecure captchas.

P.S.

Also I prepared another vulnerabilities in Captcha!. So wait for today’s bonus post ;-) .

Добірка уразливостей

16:37 26.11.2007

В даній добірці уразливості в веб додатках:

  • CheckPoint VPN-1 UTM Edge Cross Site Request Forgery vulnerability (деталі)
  • Cross-Site Request Forgery Attack Against Check Point Safe@Office Device (деталі)
  • ActiveWeb Contentserver CMS Editor Permission Settings Problem (деталі)
  • ActiveWeb Contentserver CMS SQL Injection Management Interface (деталі)
  • osCommerce Online Merchant v2.2 RC1 local include bug (деталі)
  • Conti FTP Server v1.0 DoS (деталі)
  • Command Injection in XML Digital Signatures (деталі)
  • SQL injection vulnerability in Oxygen (O2PHP Bulletin Board) (деталі)
  • PHP remote file inclusion vulnerability in the mx_tinies 1.3.0 Module for MxBB Portal 1.06 (деталі)
  • Численні уразливості в ContentNow (деталі)
  • SQL-ін’єкція в UPublisher (деталі)
  • SQL injection vulnerability in Metyus Okul Yonetim Sistemi 1.0 (деталі)
  • Cross-site scripting (XSS) vulnerability in CuteNews 1.3.6 (деталі)
  • Directory traversal vulnerability in TorrentFlux 2.2 (деталі)
  • SQL-ін’єкція в NuSchool (деталі)