[Full-disclosure] ShAnKaR: Simle machines forum CAPTCHA bypass and PHP injection
3APA3A
3APA3A at SECURITY.NNOV.RU
Mon Jun 18 10:49:53 BST 2007
Dear bugtraq at securityfocus.com,
ShAnKaR <shankar at shankar.name> reported vulnerabilities in Simple
Machines Forum 1.1.2 (aka SMF) http://www.simplemachines.org/
Original advisory (in Russian):
http://securityvulns.ru/Rdocument271.html
1. Weak sound-based CAPTCHA protection
In this engine sound CAPTCHA based automated registration protection
is implemented with a WAV file, generated by concatenation of few
different sound files. Developers use WAV file randomization, but
this randomization is insufficient and can be bypassed by
bruteforcing with known sound templates.
[blah at localhost smfh]$ ./captcha.pl http://localhost/smf/
nnrbv
created in 1.41827201843262 seconds
[andrey at localhost smfh]$ ./captcha.pl http://localhost/smf/
vpubu
created in 1.49515509605408 seconds
[andrey at localhost smfh]$ ./captcha.pl http://localhost/smf/
ntfhh
created in 2.31928586959839 seconds
[andrey at localhost smfh]$ ./captcha.pl http://localhost/smf/
egudz
created in 0.823321104049683 seconds
As it can be seen, bruteforce usually takes only 1-2 seconds. See
script attached.
2. PHP injection
There is a possibility to execute any PHP code during creation or
editing of forum message.
(no further details is given by advisory author).
--
http://securityvulns.com/
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
|/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: capcha.pl
Type: application/octet-stream
Size: 23005 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070618/2f19ca2e/attachment.obj
Full-Disclosure is hosted and sponsored by Secunia.