[Full-disclosure] Multiple vulnerabilities in MyBB
fxchip at gmail.com
Wed Apr 27 20:57:16 BST 2011
I had another question too -- this one a bit more general. With services
like deathbycaptcha, could CAPTCHA itself now be considered insufficient
anti-automation, and how would you address that?
On Apr 25, 2011 11:59 AM, "MustLive" <mustlive at websecurity.com.ua> wrote:
> Hello Andrew!
>> You're kidding, right?
> No, I'm serious - as I'm always serious when talk about vulnerabilities.
>> Revealing the names of forum users is practically core functionality.
> Of course it's core functionality. But the hole, as I exactly wrote in my
> advisory, is in revealing of logins. So issue is laying in using logins as
> names, so in result the showing names at different parts of the forum is
> leading to leakage of logins. It's quite widespread in forum engines and
> other webapps to disclose their logins (via different Information Leakage
> and Abuse of Functionality holes) as nothing important. Some CMS like
> even have official answer concerning this issue
> (http://drupal.org/node/1004778). From my side, I've informed Drupal
> developers about 8 login leakage holes which I found (in Drupal 6, new 7
> version must have them all, because of developers' ignoring of this issue)
> and gave them recommendations why and how to fix such holes to not reveal
> logins and to preserve Drupal's philosophy.
> Many forums (almost all) have similar login leakage vulnerabilities. For
> example IPB and Vbulletin, which developers I've informed about them in
> 2009. Like I informed many other developers and admins about such holes,
> beside developers of MyBB (which ignored to fix them, as many like to do).
> I saw a lot of such vulnerabilities for more then six years. And in 2008 I
> started to write about them at my site (like about holes in WordPress),
> wrote article Enumerating logins via Abuse of Functionality
> (http://websecurity.com.ua/2840/) and starting from 2009 I've begun
> fighting with them - by informing many admins and developers about such
> vulnerabilities. In my practice most web developers and admins of sites
> ignored such holes, but there were those who fixed them. For example
> developers of IPB, which have such holes in IPB 1 and 2, after my
> (at begging of 2009) fixed all such holes in their engine in IPB 3 (it
> released in summer 2009). It must be obvious why I'm using Invision Power
> Board as engine for my forum for more then 6 years.
>> The first one requires an activation code sent by email.
> This IAA hole can be used for automatic registration. Altogether with IAA
> hole at registration page. To put captcha to first or to second or to both
> of the pages - it's up to developers. But the protection must be reliable.
> Plus they have login leakage in this functionality. I've informed
> of MyBB about all (which I found at brief looking at this engine) login
> leakage vulnerabilities.
>> The second one
> This functionality with IAA allows spammers to identify valid e-mails of
> existing forum users and also allows to spam registered users from the
> with "password recovery" letters. Both of which can be easily mitigated by
> installing captcha at this functionality.
> Best wishes & regards,
> Administrator of Websecurity web site
> ----- Original Message -----
> From: "Andrew Farmer" <andfarm at gmail.com>
> To: "MustLive" <mustlive at websecurity.com.ua>
> Cc: "Full Disclosure" <full-disclosure at lists.grok.org.uk>
> Sent: Saturday, April 23, 2011 10:32 PM
> Subject: Re: [Full-disclosure] Multiple vulnerabilities in MyBB
> On 2011-04-22, at 09:21, MustLive wrote:
>> Information Leakage (WASC-13):
>> Logins are names of the users at the forum (and so it's possible to
>> logins at forum's pages).
> You're kidding, right?
> Revealing the names of forum users is practically core functionality.
> There's no expectation whatsoever that they be kept secret - they're
> displayed all over the site, and a member list (giving you the ability to
> download ALL USER NAMES ON THE FORUM OMG) is enabled by default.
>> Insufficient Anti-automation (WASC-21):
>> These functionalities have no protection from automated attacks
> The first one requires an activation code sent by email. I suppose you
> *try* to brute-force it, but you'd probably have better luck brute-forcing
> the password on the email address you sent the activation to.
> The second one... well, I suppose you could use it to try to determine
> whether email addresses belong to anyone on the forum, or send annoying
> password reset emails, but adding a CAPTCHA wouldn't really change that
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part --------------
An HTML attachment was scrubbed...
Full-Disclosure is hosted and sponsored by Secunia.