Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Multiple vulnerabilities in MyBB
From: "MustLive" <mustlive () websecurity com ua>
Date: Wed, 4 May 2011 23:50:31 +0300

Hi Zach!

With services like deathbycaptcha, could CAPTCHA itself now be considered insufficient anti-automation,

Any captcha which has no vulnerabilities in code itself (such as those described by me in 2007 in my project Month of 
Bugs in Captchas) can't be considered as Insufficient Anti-automation by default, regardless of existence of 
Deathbycaptcha and other services of type Captcha Solver as a Service.

Holes in algorithms of captchas are a posteriori holes, so they are exactly IAA. And attacks via OCR or "hired" humans 
are a priori holes - the holes in idea itself. And they are considered by creators of captcha, at least they should be 
considered :-). So user of every secure (to a posteriori holes) captcha need to take into account that there are exist 
OCR or "hired" humans (a priori holes), which can create a problems. Which also can come from different Captcha Solver 
as a Service. And if such problems will appear, then there can be made improvements in captcha or used other methods of 
protection.

and how would you address that?

By improving of the captcha. You could see such "hard captchas", where it's hard to see the text on it or with 
mathematical equation. Such captchas can create a serious problems for OCR and "hired" humans (but also can complicate 
process for legitimate users of the site). So it's up to every admin to decide what is more important to him - 
usability for users (and OCR and "hired" humans), or security of his site.

Also there can be used other methods (captcha-less) if captcha is not optimal for concrete site. Like putting some 
functionality into user account (to make it post-auth, but there must be no other holes, like those which I wrote about 
in my article Attacks on unprotected login forms 
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html)), using of automated 
anti-spam services and other methods - all of which have different nuances with usability. So it must be carefully 
chosen for every particular case.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
  ----- Original Message ----- 
  From: Zach C. 
  To: MustLive 
  Cc: Andrew Farmer ; full-disclosure () lists grok org uk 
  Sent: Wednesday, April 27, 2011 10:57 PM
  Subject: Re: [Full-disclosure] Multiple vulnerabilities in MyBB


  I had another question too -- this one a bit more general. With services like deathbycaptcha, could CAPTCHA itself 
now be considered insufficient anti-automation, and how would you address that?

  On Apr 25, 2011 11:59 AM, "MustLive" <mustlive () websecurity com ua> wrote:
  > Hello Andrew!
  > 
  >> You're kidding, right?
  > 
  > No, I'm serious - as I'm always serious when talk about vulnerabilities.
  > 
  >> Revealing the names of forum users is practically core functionality.
  > 
  > Of course it's core functionality. But the hole, as I exactly wrote in my
  > advisory, is in revealing of logins. So issue is laying in using logins as a
  > names, so in result the showing names at different parts of the forum is
  > leading to leakage of logins. It's quite widespread in forum engines and
  > other webapps to disclose their logins (via different Information Leakage
  > and Abuse of Functionality holes) as nothing important. Some CMS like Drupal
  > even have official answer concerning this issue
  > (http://drupal.org/node/1004778). From my side, I've informed Drupal
  > developers about 8 login leakage holes which I found (in Drupal 6, new 7
  > version must have them all, because of developers' ignoring of this issue)
  > and gave them recommendations why and how to fix such holes to not reveal
  > logins and to preserve Drupal's philosophy.
  > 
  > Many forums (almost all) have similar login leakage vulnerabilities. For
  > example IPB and Vbulletin, which developers I've informed about them in
  > 2009. Like I informed many other developers and admins about such holes,
  > beside developers of MyBB (which ignored to fix them, as many like to do).
  > 
  > I saw a lot of such vulnerabilities for more then six years. And in 2008 I
  > started to write about them at my site (like about holes in WordPress),
  > wrote article Enumerating logins via Abuse of Functionality vulnerabilities
  > (http://websecurity.com.ua/2840/) and starting from 2009 I've begun actively
  > fighting with them - by informing many admins and developers about such
  > vulnerabilities. In my practice most web developers and admins of sites
  > ignored such holes, but there were those who fixed them. For example
  > developers of IPB, which have such holes in IPB 1 and 2, after my informing
  > (at begging of 2009) fixed all such holes in their engine in IPB 3 (it have
  > released in summer 2009). It must be obvious why I'm using Invision Power
  > Board as engine for my forum for more then 6 years.
  > 
  >> The first one requires an activation code sent by email.
  > 
  > This IAA hole can be used for automatic registration. Altogether with IAA
  > hole at registration page. To put captcha to first or to second or to both
  > of the pages - it's up to developers. But the protection must be reliable.
  > 
  > Plus they have login leakage in this functionality. I've informed developers
  > of MyBB about all (which I found at brief looking at this engine) login
  > leakage vulnerabilities.
  > 
  >> The second one
  > 
  > This functionality with IAA allows spammers to identify valid e-mails of
  > existing forum users and also allows to spam registered users from the forum
  > with "password recovery" letters. Both of which can be easily mitigated by
  > installing captcha at this functionality.
  > 
  > Best wishes & regards,
  > MustLive
  > Administrator of Websecurity web site
  > http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault