mailing list archives
Re: Multiple vulnerabilities in MyBB
From: "MustLive" <mustlive () websecurity com ua>
Date: Wed, 4 May 2011 23:50:31 +0300
With services like deathbycaptcha, could CAPTCHA itself now be considered insufficient anti-automation,
Any captcha which has no vulnerabilities in code itself (such as those described by me in 2007 in my project Month of
Bugs in Captchas) can't be considered as Insufficient Anti-automation by default, regardless of existence of
Deathbycaptcha and other services of type Captcha Solver as a Service.
Holes in algorithms of captchas are a posteriori holes, so they are exactly IAA. And attacks via OCR or "hired" humans
are a priori holes - the holes in idea itself. And they are considered by creators of captcha, at least they should be
considered :-). So user of every secure (to a posteriori holes) captcha need to take into account that there are exist
OCR or "hired" humans (a priori holes), which can create a problems. Which also can come from different Captcha Solver
as a Service. And if such problems will appear, then there can be made improvements in captcha or used other methods of
and how would you address that?
By improving of the captcha. You could see such "hard captchas", where it's hard to see the text on it or with
mathematical equation. Such captchas can create a serious problems for OCR and "hired" humans (but also can complicate
process for legitimate users of the site). So it's up to every admin to decide what is more important to him -
usability for users (and OCR and "hired" humans), or security of his site.
Also there can be used other methods (captcha-less) if captcha is not optimal for concrete site. Like putting some
functionality into user account (to make it post-auth, but there must be no other holes, like those which I wrote about
in my article Attacks on unprotected login forms
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html)), using of automated
anti-spam services and other methods - all of which have different nuances with usability. So it must be carefully
chosen for every particular case.
Best wishes & regards,
Administrator of Websecurity web site
----- Original Message -----
From: Zach C.
Cc: Andrew Farmer ; full-disclosure () lists grok org uk
Sent: Wednesday, April 27, 2011 10:57 PM
Subject: Re: [Full-disclosure] Multiple vulnerabilities in MyBB
I had another question too -- this one a bit more general. With services like deathbycaptcha, could CAPTCHA itself
now be considered insufficient anti-automation, and how would you address that?
On Apr 25, 2011 11:59 AM, "MustLive" <mustlive () websecurity com ua> wrote:
> Hello Andrew!
>> You're kidding, right?
> No, I'm serious - as I'm always serious when talk about vulnerabilities.
>> Revealing the names of forum users is practically core functionality.
> Of course it's core functionality. But the hole, as I exactly wrote in my
> advisory, is in revealing of logins. So issue is laying in using logins as a
> names, so in result the showing names at different parts of the forum is
> leading to leakage of logins. It's quite widespread in forum engines and
> other webapps to disclose their logins (via different Information Leakage
> and Abuse of Functionality holes) as nothing important. Some CMS like Drupal
> even have official answer concerning this issue
> (http://drupal.org/node/1004778). From my side, I've informed Drupal
> developers about 8 login leakage holes which I found (in Drupal 6, new 7
> version must have them all, because of developers' ignoring of this issue)
> and gave them recommendations why and how to fix such holes to not reveal
> logins and to preserve Drupal's philosophy.
> Many forums (almost all) have similar login leakage vulnerabilities. For
> example IPB and Vbulletin, which developers I've informed about them in
> 2009. Like I informed many other developers and admins about such holes,
> beside developers of MyBB (which ignored to fix them, as many like to do).
> I saw a lot of such vulnerabilities for more then six years. And in 2008 I
> started to write about them at my site (like about holes in WordPress),
> wrote article Enumerating logins via Abuse of Functionality vulnerabilities
> (http://websecurity.com.ua/2840/) and starting from 2009 I've begun actively
> fighting with them - by informing many admins and developers about such
> vulnerabilities. In my practice most web developers and admins of sites
> ignored such holes, but there were those who fixed them. For example
> developers of IPB, which have such holes in IPB 1 and 2, after my informing
> (at begging of 2009) fixed all such holes in their engine in IPB 3 (it have
> released in summer 2009). It must be obvious why I'm using Invision Power
> Board as engine for my forum for more then 6 years.
>> The first one requires an activation code sent by email.
> This IAA hole can be used for automatic registration. Altogether with IAA
> hole at registration page. To put captcha to first or to second or to both
> of the pages - it's up to developers. But the protection must be reliable.
> Plus they have login leakage in this functionality. I've informed developers
> of MyBB about all (which I found at brief looking at this engine) login
> leakage vulnerabilities.
>> The second one
> This functionality with IAA allows spammers to identify valid e-mails of
> existing forum users and also allows to spam registered users from the forum
> with "password recovery" letters. Both of which can be easily mitigated by
> installing captcha at this functionality.
> Best wishes & regards,
> Administrator of Websecurity web site
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Re: Multiple vulnerabilities in MyBB MustLive (May 04)