Re: Vulnerabilities in phpCOIN
About Us:
http://phpcoin.com/mod.php?mod=siteinfo&id=4
It is with profound sorrow, sadness and regret, that COINSoft
Technologies Inc. must announce the death of their lead developer
Stephen M. Kitching (cantex) after a mercifully short battle with cancer.
Stephen was both an inspiration and good friend to everyone who knew and
worked with him. He will be greatly missed, and his ingenuity and work
will live on in the thoughts of all those, who were and will be touched,
by the contributions he made to the software he dedicated his life to.
Our deepest sympathies, hearts and prayers go out to Steven's family and
friends.
-------------
If I were a customer of theirs I'd be cutting them some slack. I'm just
sayin'.
MustLive wrote:
> Hello Bugtraq!
>
> I want to warn you about security vulnerabilities in system phpCOIN.
>
> -----------------------------
> Advisory: Vulnerabilities in phpCOIN
> -----------------------------
> URL: http://websecurity.com.ua/4090/
> -----------------------------
> Affected products: phpCOIN 1.6.5 and previous versions.
> -----------------------------
> Timeline:
> 17.03.2010 - found vulnerabilities.
> 01.04.2010 - disclosed at my site.
> 02.04.2010 - informed developers.
> -----------------------------
> Details:
>
> These are Insufficient Anti-automation and Denial of Service
> vulnerabilities.
>
> The vulnerabilities exist in captcha script CaptchaSecurityImages.php,
> which
> is using in this system. I already reported about vulnerabilities in
> CaptchaSecurityImages (http://websecurity.com.ua/4043/).
>
> Insufficient Anti-automation:
>
> http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=150&height=100&characters=2
>
>
> Captcha bypass is possible via half-automated or automated (with using of
> OCR) methods, which were mentioned before
> (http://websecurity.com.ua/4043/).
>
> DoS:
>
> http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=1000&height=9000
>
>
> With setting of large values of width and height it's possible to create
> large load at the server.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
討論串 (同標題文章)