|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: MustLive (mustlive
websecurity.com.ua)
Date: Fri Apr 09 2010 - 08:09:56 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello Bugtraq!
I want to warn you about security vulnerabilities in system phpCOIN.
-----------------------------
Advisory: Vulnerabilities in phpCOIN
-----------------------------
URL: http://websecurity.com.ua/4090/
-----------------------------
Affected products: phpCOIN 1.6.5 and previous versions.
-----------------------------
Timeline:
17.03.2010 - found vulnerabilities.
01.04.2010 - disclosed at my site.
02.04.2010 - informed developers.
-----------------------------
Details:
These are Insufficient Anti-automation and Denial of Service
vulnerabilities.
The vulnerabilities exist in captcha script CaptchaSecurityImages.php, which
is using in this system. I already reported about vulnerabilities in
CaptchaSecurityImages (http://websecurity.com.ua/4043/).
Insufficient Anti-automation:
http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=150&height=100&characters=2
Captcha bypass is possible via half-automated or automated (with using of
OCR) methods, which were mentioned before (http://websecurity.com.ua/4043/).
DoS:
http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=1000&height=9000
With setting of large values of width and height it's possible to create
large load at the server.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]