Websecurity - Веб безпека

Продовжується Місяць багів в Капчах і сьогодні я опублікував нові уразливості.

На десятий день Місяця багів в Капчах я опублікував інформацію про дірки в Капчі PHP-Nuke. Дана Капча вразлива до MustLive CAPTCHA bypass method та Null string bypass method.

• MoBiC-10: PHP-Nuke CAPTCHA bypass (деталі)
• MoBiC-10 Bonus: another PHP-Nuke CAPTCHA bypass (деталі)

Очікуємо на наступний день Month of Bugs in Captchas.

Continue our talk about last participant of the project - PHP-Nuke captcha. Which is using at User Registration form (and also at Login form). Like previous one I also found this hole at phpnuke.org. Vulnerable version is PHP-Nuke 8.1 (the latest) and all previous.

This captcha in addition to MustLive CAPTCHA bypass method is also vulnerable for null string bypass method. This Insufficient Anti-automation hole I found 21.10.2007.

If in MustLive CAPTCHA bypass method for bypassing captcha you need to use the same gfx_check and random_num values for every post. Than in null string bypass method you not need to use these parameters at all. Just send empty strings or not send them at all.

Null string bypass method - it is hardcore method . It’s design only for hardcore guys and gals. If you not feel yourself hardcore enough, don’t use it.

Insufficient Anti-automation:

PHP-Nuke CAPTCHA bypass3.html - bypassing captcha by another method and data confirmation page and finishing registration.

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only. Don’t use it for malicious purposes at any site on PHP-Nuke.

You need to setup exploit to test it (set site’s URL and others data). If you want to test it immediately, here is online example.

Insufficient Anti-automation:

phpnuke.org CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such vulnerable captchas.

Next participant of the project is PHP-Nuke captcha. Which is using at User Registration form (and also at Login form). I found this hole at phpnuke.org (which is using last version of CMS). Vulnerable version is PHP-Nuke 8.1 (the latest) and all previous.

Like Google said there are up to 2660000 sites in Internet on this engine. And including all those sites which use PHP-Nuke, but have no “Powered by PHP-Nuke” sign, there are potentially more millions of sites which are in risk with this insecure captcha (with “powered by PHP-Nuke” query there are up to 3020000 sites).

This captcha is vulnerable for MustLive CAPTCHA bypass method. This Insufficient Anti-automation hole I found 21.10.2007.

For bypassing captcha you need to use the same gfx_check and random_num values many times (for every post).

Insufficient Anti-automation:

PHP-Nuke CAPTCHA bypass.html - bypassing captcha and transition to data confirmation page.

PHP-Nuke CAPTCHA bypass2.html - bypassing captcha and data confirmation page and finishing registration.

Guys not overdo with these Captcha bypass tests. These exploits for educational purposes only. Don’t use them for malicious purposes at any site on PHP-Nuke.

You need to setup exploits to test them (set site’s URL and others data).

Moral: never make such unreliable captchas.

P.S.

Also I prepared another vulnerability in PHP-Nuke captcha. So wait for today’s bonus post .

В даній добірці уразливості в веб додатках:

• rPSA-2007-0081-1 postgresql postgresql-server (деталі)
• Untrusted search path vulnerability in PostgreSQL (деталі)
• SonicBB version 1.0 Multiple SQL Injection Vulnerabilities (деталі)
• RFI In Script FlashChat_v479 (деталі)
• New otrs2 packages fix cross-site scripting (деталі)
• GTP 3G © Gnuturk Portal System year=**&month= Cross-Site Scripting Vulnerability (деталі)
• Multiple XSS in Digirez (деталі)
• Cross-site scripting vulnerability in the JCE Admin Component in Ryan Demmer Joomla Content Editor 1.0.4 for Joomla! (деталі)
• Multiple PHP remote file inclusion vulnerabilities in Active PHP Bookmarks (APB) 1.1.02 (деталі)
• Vulnerability in TikiWiki before 1.9.7 (деталі)
• Завантаження довільних файлів і міжсайтовий скриптінг в SpeedyWiki (деталі)
• NetBSD FTPd / tnftpd Remote Stack Overflow PoC (деталі)
• CSRF уразливість в Trac (деталі)
• Інклюдинг локальних файлів і міжсайтовий скриптінг в FreeWebshop.org Script (деталі)
• Vulnerability in WebKit in Apple Mac OS X (деталі)

Продовжується Місяць багів в Капчах і сьогодні я опублікував нову уразливість.

На дев’ятий день Місяця багів в Капчах я опублікував інформацію про дірку в Капчі opennet.ru (раніше я вже писав про уразливості на www.opennet.ru). Дана Капча вразлива до Advanced MustLive CAPTCHA bypass method.

• MoBiC-09: opennet.ru CAPTCHA bypass (деталі)

Очікуємо на наступний день Month of Bugs in Captchas.

Next participant of the project is captcha at opennet.ru. Which is using at guestbook page of the site. This is news site with security related and others news.

This captcha is vulnerable for Advanced MustLive CAPTCHA bypass method. This Insufficient Anti-automation hole I found 04.09.2007.

Advanced method consist of main MustLive CAPTCHA bypass method and bypassing of anti CSRF protection (referer checking). For bypassing captcha you need to use the same ec and sc values many times (for every post). Note, that one captcha image works not long, so you need new image-code pairs periodically. For bypassing anti CSRF protection you need to spoof the referer.

Insufficient Anti-automation:

opennet.ru CAPTCHA bypass.txt

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such insecure captchas.

Виявлене переповнення масиву в GNU Gnash Flash Player (array overflow).

Уразливі версії: GNU Gnash 0.7.

Переповнення масиву при великій кількості елементів SHOWFRAME в DEFINESPRITE.

• Arbitrary code execution in GNU Gnash (aka GNU Flash Player) 0.7.2 (деталі)

В даній добірці експлоіти в веб додатках:

• WAnewsletter <= 2.1.3 Remote File Inclusion Vulnerability (деталі)
• Vistered Little 1.6a (skin) Remote File Disclosure Vulnerability (деталі)
• Vizayn Urun Tanitim Sistemi 0.2 (tr) Remote SQL Injection Vulnerability (деталі)
• Pheap 2.0 Admin Bypass / Remote Code Execution Exploit (деталі)
• AdminBot 9.0.5 (live_status.lib.php ROOT) RFI Vulnerability (деталі)
• Inout Search Engine (all version) Remote Code Execution Exploit (деталі)
• Microsoft IIS <= 5.1 Hit Highlighting Authentication Bypass Exploit (деталі)
• XOOPS Module icontent 1.0 Remote File Inclusion Exploit (деталі)
• RevokeBB <= 1.0 RC4 Blind SQL Injection / Hash Retrieve Exploit (деталі)
• Xpression News File Disclosure Exploit (деталі)

Продовжується Місяць багів в Капчах і сьогодні я опублікував нові уразливості.

На восьмий день Місяця багів в Капчах я опублікував інформацію про дірки в логічних Капчах (на сайтах wait-till-i.com та shamanomaly.com). Дані Капчі вразливі до MustLive CAPTCHA bypass method.

• MoBiC-08: logical CAPTCHA bypass (деталі)

Очікуємо на наступний день Month of Bugs in Captchas.

Next participant of the project is logical Captcha. This is such type of protection where user asked to “check this box” to prove that he is not a bot. It’s popular and accessible type of captchas which are using at many sites. So there are a lot of sites which are in risk with such captchas.

First example is wait-till-i.com where logical captcha was used. This captcha is vulnerable to MustLive CAPTCHA bypass method. This Insufficient Anti-automation hole I found 25.10.2007.

For bypassing you need to use parameter “validemail” with value “d” for every post. This is classic MustLive CAPTCHA bypass method. Which easily bypass logical captchas.

Most interesting that after I informed admin of the site about hole in his captcha, and I was trying to inform all participants (sites with vulnerable captchas) of MoBiC project, he removed captcha from his site . This captcha decided to run away from me (it quit ahead of time). You can found this logical captcha in Yahoo’s cache (checkbox “Check this box if you are not a spammer”). Nevertheless the object was gained, lame captcha was hacked to death . So exploit is for demonstration only, because there is no captcha at all at the site. Now site’s owner need new and reliable captcha.

Insufficient Anti-automation:

wait-till-i.com CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.

After first captcha I decided to find another logical one. Second example is shamanomaly.com with logical captcha. This captcha is vulnerable for two bypassing methods. These Insufficient Anti-automation holes I found 03.11.2007.

1. MustLive CAPTCHA bypass method.

For bypassing you need to use parameter “nonspammer” with value “1″ for every post.

2. JavaScript protection bypass method.

Checking is done with JavaScript, so if you turn off JS (which is common for bots) you can easily bypass it.

Insufficient Anti-automation:

shamanomaly.com CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such unreliable captchas.