'Re: [Full-disclosure] BF, CSRF, and IAA vulnerabilities in websecurity.com.ua'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] BF, CSRF, and IAA vulnerabilities in websecurity.com.ua
From:       some one <s3cret.squirell () gmail ! com>
Date:       2012-12-31 23:58:54
Message-ID: CA+1kKf5d-MPSGdcPVnJmvmit2jb1tDbpwdMnW7TWkWSUfa017Q () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


If you do not like or find of interest what the guy posts is it not easier
to just press delete or filter him out rather than try to make fun of him?

Give the dude a break man, hes submitting more things of interest than you
are and you just make yourself sound bitter and twisted.

Its new year man, go out and drink a beer or eat some fireworks
On Dec 31, 2012 5:17 PM, "Julius Kivim=E4ki" <julius.kivimaki@gmail.com>
wrote:

> Hello list!
>
> I want to warn you about multiple extremely severe vulnerabilities in
> websecurity.com.ua.
>
> These are Brute Force and Insufficient Anti-automation vulnerabilities in
> websecurity.com.ua. These vulnerability is very serious and could affect
> million of people.
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are all versions of websecurity.com.ua.
>
> ----------
> Details:
> ----------
>
> Brute Force (WASC-11):
>
> In ftp server (websecurity.com.ua:21) there is no protection from Brute
> Force
> attacks.
>
> Cross-Site Request Forgery (WASC-09):
>
> Lack of captcha in login form (http://websecurity.com.ua:21/) can be used
> for
> different attacks - for CSRF-attack to login into account (remote login -
> to
> conduct attacks on vulnerabilities inside of account), for automated
> entering into account, for phishing and other automated attacks. Which yo=
u
> can read about in the article "Attacks on unprotected login forms"
> (
> http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011=
-April/007773.html
> ).
>
> Insufficient Anti-automation (WASC-21):
>
> In login form there is no protection against automated request, which all=
ow
> to picking up logins in automated way by attacking on login function.
> ------------
> Timeline:
> ------------
>
> 2012.06.28 - announced at my site about websecurity.com.ua.
> 2012.06.28 - informed developers about the first part of vulnerabilities =
in
> websecurity.com.ua.
> 2012.06.30 - informed developers about the second part of vulnerabilities
> in
> websecurity.com.ua.
> 2012.07.26 - announced at my site about websecurity.com.ua.
> 2012.07.28 - informed developers about vulnerabilities in
> websecurity.com.ua
> and reminded about previous two letters I had sent to them with carrier
> pigeons.
> 2012.07.28-2012.10.31 - multiple attempts to contact the owners of
> websecurity.com.ua
> were ignored by the owners.
> 2012.11.02 - developers responded "fuck off and kill urself irl!".
> 2012.12.31 - disclosed on the list
>
> Best wishes & regards,
> MustLive
> Security master extraordinaire, master sysadmin
> http://websecurity.com.ua
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

[Attachment #5 (text/html)]

<p>If you do not like or find of interest what the guy posts is it not easier to just press \
delete or filter him out rather than try to make fun of him? </p> <p>Give the dude a break man, \
hes submitting more things of interest than you are and you just make yourself sound bitter and \
twisted.</p> <p>Its new year man, go out and drink a beer or eat some fireworks </p>
<div class="gmail_quote">On Dec 31, 2012 5:17 PM, &quot;Julius Kivimäki&quot; &lt;<a \
href="mailto:julius.kivimaki@gmail.com">julius.kivimaki@gmail.com</a>&gt; wrote:<br \
type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex"> <span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">Hello list!</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"> <br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"><span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">I want to warn you \
about multiple extremely severe vulnerabilities in <a href="http://websecurity.com.ua" \
target="_blank">websecurity.com.ua</a>.</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<br style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"><span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">These are Brute Force \
</span><span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">and \
Insufficient Anti-automation vulnerabilities in <a href="http://websecurity.com.ua" \
target="_blank">websecurity.com.ua</a>. These vulnerability is very serious and could affect \
million of people.</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<br style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"><span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">-------------------------</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">Affected \
products:</span><br style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"> \
<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">-------------------------</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"> <br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"><span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">Vulnerable are all \
versions of <a href="http://websecurity.com.ua" \
target="_blank">websecurity.com.ua</a>.</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<br style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"><span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">----------</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">Details:</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"> <span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">----------</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"> <br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"><span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">Brute Force \
(WASC-11):</span><br style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<br style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"><span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">In ftp server (<a \
href="http://websecurity.com.ua:21" target="_blank">websecurity.com.ua:21</a></span><span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">) there is no \
protection from Brute Force</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">attacks.</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"> <br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"><span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">Cross-Site Request \
Forgery (WASC-09):</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<br style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"><span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">Lack of captcha in \
login form (<a href="http://websecurity.com.ua:21/" \
target="_blank">http://websecurity.com.ua:21/</a></span><span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">) can be used \
for</span><br style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">different attacks \
- for CSRF-attack to login into account (remote login - to</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">conduct attacks \
on vulnerabilities inside of account), for automated</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">entering into \
account, for phishing and other automated attacks. Which you</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">can read about in \
the article &quot;Attacks on unprotected login forms&quot;</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">(</span><a \
href="http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html" \
style="color:rgb(17,85,204);font-size:10px;font-family:arial,sans-serif" \
target="_blank">http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html</a><span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">).</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<br><span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">Insufficient \
Anti-automation (WASC-21):</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"> <br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"><span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">In login form there is \
no protection against automated request, which allow</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">to picking up \
logins in automated way by attacking on login function.</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">------------</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"> <span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">Timeline:</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"> <span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">------------</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"> <br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"><span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">2012.06.28 - announced \
at my site about <a href="http://websecurity.com.ua" \
target="_blank">websecurity.com.ua</a>.</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">2012.06.28 - \
informed developers about the first part of vulnerabilities in</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"><a \
href="http://websecurity.com.ua" target="_blank">websecurity.com.ua</a>.</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">2012.06.30 - \
informed developers about the second part of vulnerabilities in</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"><a \
href="http://websecurity.com.ua" target="_blank">websecurity.com.ua</a>.</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">2012.07.26 - \
announced at my site about <a href="http://websecurity.com.ua" \
target="_blank">websecurity.com.ua</a>.</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">2012.07.28 - \
informed developers about vulnerabilities in <a href="http://websecurity.com.ua" \
target="_blank">websecurity.com.ua</a></span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">and reminded \
about previous two letters I had sent to them with carrier pigeons.</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">2012.07.28-2012.10.31 \
- multiple attempts to contact the owners of <a href="http://websecurity.com.ua" \
target="_blank">websecurity.com.ua</a></span><div>

<font color="#222222" face="arial, sans-serif">were ignored by the owners.<br></font><div><span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">2012.11.02 - developers \
responded &quot;fuck off and kill urself irl!&quot;</span><span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">.</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">

<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">2012.12.31 - \
disclosed on the list</span></div><div><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"> <span \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">Best wishes &amp; \
regards,</span><br style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"> \
<span style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif">MustLive</span><br \
style="color:rgb(34,34,34);font-size:10px;font-family:arial,sans-serif"> <font \
color="#222222">Security master extraordinaire, master sysadmin</font></div><div><a \
href="http://websecurity.com.ua/" \
style="color:rgb(17,85,204);font-size:10px;font-family:arial,sans-serif" \
target="_blank">http://websecurity.com.ua</a></div>

</div>
<br>_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" \
target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br> Hosted and \
sponsored by Secunia - <a href="http://secunia.com/" \
target="_blank">http://secunia.com/</a><br></blockquote></div>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic