Latest YouTube Video

Wednesday, October 19, 2016

[FD] CVE-2016-8600 dotCMS - CAPTCHA bypass by reusing valid code

Title: CVE-2016-8600 dotCMS - CAPTCHA bypass by reusing valid code Credit: Elar Lang / http://ift.tt/1WV5vQa Vulnerability: CAPTCHA bypass by re-using last loaded valid CAPTCHA code Vulnerable version: before 3.6.0 CVE: CVE-2016-8600 Vendor/Product: dotCMS (http://dotcms.com/) # Background and description It's possible to re-use valid CAPTCHA code in dotCMS framework. Last loaded CAPTCHA code is stored in session and CAPTCHA code is renewed only when you reload image /Captcha.jpg from server. But if you don't reload it, you can use previous valid CAPTCHA code till your session is alive. Problem was first announced with CRLF/Email Header Injection: * link1: http://ift.tt/2eGYLGM * link2: http://ift.tt/1OOp6Js # Preconditions Attacker must first fill manually valid CAPTCHA code. No other pre-conditions - no authentication or authorization needed. # Proof-of-Concept You need to detect from a dotCMS server: * valid CAPTCHA by loading /Captcha.jpg * your session id (JSESSIONID) value If some form asks CAPTCHA, you can use those 2 values for sending valid data. Proof-of-Concept with a detailed description is available at: http://ift.tt/2eGYLGM # Vulnerability Disclosure Timeline First I mentioned CAPTCHA reuse possibility in other reports 2015-12-07 | me > dotCMS | CAPTCHA reuse possibility is mentioned in Email Header Injection description 2015-12-14 | me > dotCMS | asked feedback in other set of reported vulnerabilities As reported Email Header Injection and different SQL injections were fixed and CAPTCHA reuse wasn't fixed, I Reported separately 2016-05-27 | me > dotCMS | description of CAPTCHA reuse process 2016-06-29 | me > dotCMS | any comments or feedback? 2016-07-06 | dotCMS > me | confirmed bug and opened issue 2016-07-06 | dotCMS | opened issue in GitHub | "Captcha can be programmatically reused by passing session id #9330" 2016-07-07 | me > mitre.org | CVE requested .. no response 2016-09-02 | dotCMS | dotCMS version 3.6.0 release 2016-10-10 | me > mitre.org | CVE requested via web form 2016-10-11 | mitre.org > me | CVE-2016-8600 assigned 2016-10-17 | me | Full Disclosure on security.elarlang.eu # Fixes Update dotCMS at least to version 3.6.0 Issue description and timeline: http://ift.tt/2eGYJPa

Source: Gmail -> IFTTT-> Blogger

No comments: