|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: 3APA3A (3APA3A
SECURITY.NNOV.RU)
Date: Mon Jun 18 2007 - 04:49:53 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dear bugtraqsecurityfocus.com,
ShAnKaR <shankar at shankar.name> reported vulnerabilities in Simple
Machines Forum 1.1.2 (aka SMF) http://www.simplemachines.org/
Original advisory (in Russian):
http://securityvulns.ru/Rdocument271.html
1. Weak sound-based CAPTCHA protection
In this engine sound CAPTCHA based automated registration protection
is implemented with a WAV file, generated by concatenation of few
different sound files. Developers use WAV file randomization, but
this randomization is insufficient and can be bypassed by
bruteforcing with known sound templates.
[blahlocalhost smfh]$ ./captcha.pl http://localhost/smf/
nnrbv
created in 1.41827201843262 seconds
[andreylocalhost smfh]$ ./captcha.pl http://localhost/smf/
vpubu
created in 1.49515509605408 seconds
[andreylocalhost smfh]$ ./captcha.pl http://localhost/smf/
ntfhh
created in 2.31928586959839 seconds
[andreylocalhost smfh]$ ./captcha.pl http://localhost/smf/
egudz
created in 0.823321104049683 seconds
As it can be seen, bruteforce usually takes only 1-2 seconds. See
script attached.
2. PHP injection
There is a possibility to execute any PHP code during creation or
editing of forum message.
(no further details is given by advisory author).
--
http://securityvulns.com/
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
|/
- application/octet-stream attachment: capcha.pl
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]