Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Brute Force and Abuse of Functionality vulnerabilities in Drupal
From: Justin Klein Keane <justin () madirish net>
Date: Fri, 18 Feb 2011 14:45:46 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MustLive:  you're a little late to this party, see
http://www.madirish.net/?article=443, published Dec 2009.  The other
issues you mention may already be disclosed.  The Drupal Login Security
module (http://drupal.org/project/login_security) is an effective
mitigation for some of these problems.  Do you do any research before
you publish these advisories?

Justin Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed using
the public key at http://www.madirish.net/gpgkey

On 02/18/2011 02:30 PM, MustLive wrote:
Hello list!

I want to warn you about Brute Force and Abuse of Functionality
vulnerabilities in Drupal.

-------------------------
Affected products:
-------------------------

Vulnerable are Drupal 6.20 and previous versions.

----------
Details:
----------

Brute Force (WASC-11):

In login form (http://site/user/) there is no reliable protection against
brute force attacks. There is no captcha in Drupal itself, and existent
Captcha module (http://websecurity.com.ua/4749/) is vulnerable (and also all
plugins to it, such as reCAPTCHA (http://websecurity.com.ua/4752/).

Abuse of Functionality (WASC-42):

At contact page (http://site/contact) and at page for contact with user
(http://site/user/1/contact) there is a possibility to send spam from the
site to arbitrary e-mails via function "Send yourself a copy". And with
using of Insufficient Anti-automation vulnerability it's possible to send
spam from the site in automated manner on a large scale. The attack with
using of this function is possible only for logged in users.

For automated sending of spam it's needed to use before-mentioned
Insufficient Anti-automation vulnerabilities - there is no captcha in Drupal
itself, and existent captcha-module is vulnerable (and also all plugins to
it, such as reCAPTCHA).

About such Abuse of Functionality vulnerabilities I wrote in article Sending
spam via sites and creating spam-botnets
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html).

Abuse of Functionality (WASC-42):

At request to specific pages of the site with setting login
(http://site/users/user) it's possible to find existent logins of the users
at site (i.e. to enumerate logins). If shows "Access denied" - then such
login exists, and if "Page not found" - then no.

At request to pages for contact with users (http://site/user/1/contact)
login of the user shows (i.e. it's possible to enumerate logins). The attack
is possible to conduct only for logged in users and it'll work only if
attacked user turned on the option "Personal contact form" in his profile.

------------
Timeline:
------------

2010.12.15 - announced at my site.
2010.12.16 - informed developers.
2011.02.17 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4763/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAk1ezF8ACgkQkSlsbLsN1gA3KAb9GAwPgHQPFrmPSam+i9/BDIm0
jiR7Yxx0A9ubv3xvQAyz+cVIvcXEXVE040PirkpcnC6lY4ZXWCdvzUiYVrkarlJC
y6CZ8WVw8xsnjxZb382wHUE00SQF4rylAv4OP0WYDDUqjdEPA+CLxKfaO/LtrmIB
b3QNPEkJhrxNnW6nHc+JeqAG6Ukz+0zpKen+Wi1IPaOR1XGMaiak7IjSdN91u/XV
MHlOKyOr1NLEOMze2+rH8PexbrWAXuWyj74F+2lVOeiiD95ZY3CpnIVKJGb6G79h
EuSuV/+JZ/Idj7pWIO4=
=pZNB
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]