Websecurity - Веб безпека

Продовжується Місяць багів в Капчах і сьогодні я опублікував нові уразливості.

На двадцятий день Місяця багів в Капчах я опублікував інформацію про дірки в Капчі Nucleus. Дана Капча вразлива до half-automated method та injected constant captcha bypass method.

• MoBiC-20: Nucleus CAPTCHA bypass (деталі)
• MoBiC-20 Bonus: another Nucleus CAPTCHA bypass (деталі)

Очікуємо на наступний день Month of Bugs in Captchas.

Continue our talk about last participant of the project - Nucleus captcha. Which is using at comment confirmation page. Vulnerable version is Nucleus 3.01 (and previous and possibly next versions).

This captcha in addition to half-automated method is also vulnerable for injected constant captcha bypass method. This Insufficient Anti-automation and SQL Injection holes I found 27.10.2007.

If in half-automated method for bypassing captcha you need to use new code and myid values for every post. Than in injected constant captcha bypass method you need to use constant values (which are injected via SQL Injection hole) for every post.

Put in parameter code value “1″ and put in parameter myid value which made captcha always be equal “1″:

<input type="hidden" name="code" value="1" />
<input type="hidden" name="myid" value="-1 union select 1,1,1 from nucleus_blog" />

Injected constant captcha bypass method - it is totally hardcore and extreme method . It’s design only for totally hardcore guys and gals. If you not feel yourself hardcore enough, don’t use it.

Insufficient Anti-automation:

Nucleus CAPTCHA bypass2.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only. Don’t use it for malicious purposes at any site on Nucleus.

This is disclosure of Insufficient Anti-automation hole (with SQL Injection in context of captcha bypassing). This SQL Injection I’ll disclose separately next time with another SQL Injection and others holes in Nucleus. Don’t use it for any things besides captcha bypassing and especially don’t use it for malicious purposes.

You need to setup exploit to test it (set site’s URL and others data).

Moral: always make more secure captchas and without SQL Injection holes.

Next participant of the project is Nucleus captcha. Which is using at comment confirmation page. Vulnerable version is Nucleus 3.01 (and previous and possibly next versions).

Like Google said there are up to 2170000 sites in Internet on this engine. And including all those sites which use Nucleus, but have no “Powered by Nucleus” sign, there are potentially more millions of sites which are in risk with this insecure captcha.

This captcha is vulnerable for half-automated method (I’ll wrote about another more rapid method in bonus post). It is one of Advanced MustLive CAPTCHA bypass methods. This Insufficient Anti-automation hole I found 16.08.2007.

In half-automated method you need to prepare captchas image-code pairs beforehand (because of one-time captcha images). For bypassing you need to use new code and myid values for every post. It’s not fully automated, but it’s still half-automated bypass (without using OCR, only using vulnerabilities in captcha directly). Those who don’t want to work by themselves, can use cheap work force to prepare image-code pairs or use OCR software (even for not real time recognition). Though this method allow personal captcha bypassing without additional resources (work force or OCR).

Insufficient Anti-automation:

Nucleus CAPTCHA bypass.html

This exploit for educational purposes only. Don’t use it for malicious purposes at any site on Nucleus.

You need to setup exploit to test it (set site’s URL and others data).

Moral: try to make more secure captchas.

P.S.

Also I prepared another vulnerability in Nucleus. So wait for today’s bonus post .

В даній добірці уразливості в веб додатках:

• Remote log injection on DenyHosts, Fail2ban and BlockHosts (деталі)
• ASP Folder Gallery Vulnerabilities (деталі)
• Light Blog 4.1 XSS Vulnerability (деталі)
• Comicsense SQL Injection Advisory/Exploit (деталі)
• Denial of Service in WebCore in Apple WebKit (деталі)
• Denial of Service in Apple Safari (деталі)
• APC PowerChute Network Shutdown 2.21 is vulnerable to directory transversal (деталі)
• Численні уразливості в Universal FTP (деталі)
• Path disclosure vulnerability in vuBB (деталі)
• PHP remote file inclusion vulnerability in DreamAccount 3.1 (деталі)
• Інклюдинг локальних файлів в Rama CMS (деталі)
• Міжсайтовий скриптінг і SQL-ін’єкція в xenis.creator (деталі)
• SQL injection vulnerability in Woltlab Burning Board Lite 1.0.2 (деталі)
• Vulnerability in AutoFill feature in Apple Safari 2.0.4 (деталі)
• Vulnerability in webadmin in MailEnable NetWebAdmin Professional 2.32 and Enterprise 2.32 (деталі)

Продовжується Місяць багів в Капчах і сьогодні я опублікував нову уразливість.

На дев’ятнадцятий день Місяця багів в Капчах я опублікував інформацію про дірку в Капчі HBH-Fusion. Дана Капча вразлива до session reusing with constant captcha bypass method.

• MoBiC-19: HBH-Fusion CAPTCHA bypass (деталі)

Очікуємо на наступний день Month of Bugs in Captchas.

Next participant of the project is HBH-Fusion captcha. Which is using at registration page. This hole I found at www.hellboundhackers.org. It’s hackers site and it needs more reliable captcha.

This captcha is vulnerable for session reusing with constant captcha bypass method. This Insufficient Anti-automation hole I found 27.07.2007.

In session reusing with constant captcha bypass method for bypassing you need to use the same user_code value for every post (during current session). And after you’ll see first captcha image and set it in exploit, you need to not refresh page with captcha, so it will not be regenerating and you’ll be using the same code many times.

This hole is similar to MoBiC-18: PHP-Fusion CAPTCHA bypass, because HBH-Fusion is modification of PHP-Fusion. But in this case I made perl exploit. First I made html version of exploits, but when I retested the hole in October, I found that these guys added anti CSRF protection (which would not help them in this case). So in result I made perl version of exploit for bypassing captcha and anti CSRF protection.

Insufficient Anti-automation:

HBH-Fusion CAPTCHA bypass.txt

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such insecure captchas.

15.07.2007

У січні, 19.01.2007, я знайшов Cross-Site Scripting уразливість на проекті http://www.csoonline.com - онлайновому виданню про безпеку. Про що найближчим часом сповіщу адміністрацію проекту.

До речі, цю уразливість я знайшов, коли зайшов почитати на сайті статтю про XSS . Онлайн журналам варто перевіряти власну безпеку перед тим, як писати статті про уразливості.

Детальна інформація про уразливість з’явиться пізніше.

19.11.2007

XSS:

• alert(document.cookie)
• цікавий
• html включення

Дана XSS в DOM уразливість досі не виправлена.

В даній добірці експлоіти в веб додатках:

• XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability (деталі)
• Musoo 0.21 Remote File Inclusion Vulnerabilities (деталі)
• XOOPS Module WiwiMod 0.4 Remote File Inclusion Vulnerability (деталі)
• W1L3D4 WEBmarket 0.1 Remote SQL Injection Vulnerability (деталі)
• LiveCMS <= 3.4 (categoria.php cid) Remote SQL Injection Exploit (деталі)
• LAN Management System (LMS) <= 1.9.6 Remote File Inclusion Exploit (деталі)
• SerWeb 0.9.4 (load_lang.php) Remote File Inclusion Exploit (деталі)
• HTTP SERVER (httpsv) 1.6.2 (GET 404) Remote Denial of Service Exploit (деталі)
• BitchX 1.1-final (EXEC) Remote Command Execution Exploit (деталі)
• 0day exploit for PHP-nuke <=8.0 Final Blind sql injection attack in INSERT syntax version for mysql >= 4.0.24, using ‘brute force’ (деталі)

Продовжується Місяць багів в Капчах і сьогодні я опублікував нову уразливість.

На вісімнадцятий день Місяця багів в Капчах я опублікував інформацію про дірку в Капчі PHP-Fusion. Дана Капча вразлива до session reusing with constant captcha bypass method.

• MoBiC-18: PHP-Fusion CAPTCHA bypass (деталі)

Очікуємо на наступний день Month of Bugs in Captchas.

Next participant of the project is PHP-Fusion captcha. Which is using at registration page.

Like Google said there are up to 1740000 sites in Internet on this engine. And including all those sites which use PHP-Fusion, but have no “Powered by PHP-Fusion” sign, there are potentially more millions of sites which are in risk with this insecure captcha (with “powered by PHP-Fusion” query there are up to 2340000 sites).

This captcha is vulnerable for session reusing with constant captcha bypass method. This Insufficient Anti-automation hole I found 20.10.2007.

In session reusing with constant captcha bypass method for bypassing you need to use the same user_code value for every post (during current session). And after you’ll see first captcha image and set it in exploit, you need to not refresh page with captcha, so it will not be regenerating and you’ll be using the same code many times.

Insufficient Anti-automation:

PHP-Fusion CAPTCHA bypass.html

This exploit for educational purposes only.

It’s html version, you can look at perl version of similar exploit. You need to setup exploit to test it (set site’s URL and others data). If you want to test it immediately, here is online example.

I found this hole at bloglab.ru which is using PHP-Fusion.

Insufficient Anti-automation:

bloglab.ru CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such unreliable captchas.