Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30053
HistoryDec 09, 2013 - 12:00 a.m.

BF, LE and IAA vulnerabilities in InstantCMS

2013-12-0900:00:00
vulners.com
12

Hello 3APA3A!

In addition to multiple vulnerabilities in InstantCMS, which I've disclosed earlier, here are new ones.

These are Brute Force, Login Enumeration and Insufficient Anti-automation vulnerabilities in InstantCMS.


Affected products:

Vulnerable are InstantCMS 1.10.3 and previous versions.


Affected vendors:

InstantSoft
http://www.instantcms.ru


Details:

Brute Force (WASC-11):

In login form there is no protection from Brute Force attacks.

http://site/admin/login.php
http://site/login

BF vulnerabilities I found in older versions of engine. In InstantCMS 1.10.1, according to changelog, BF holes were fixed by adding captcha. Checking at official web site didn't reveal any captcha, so this fix for both BF holes wasn't verified and the captcha wasn't tested (how much is it secure, as I showed in my Month of Bugs in Captchas in 2007, captchas can be very insecure). Plus a lot of sites use older versions of InstantCMS and with all mentioned Login Enumeration vulnerabilities in InstantCMS, these BF holes are very actual.

Login Enumeration (WASC-42):

In registration form (http://site/registration) logins are enumerating via ajax-requests.

Insufficient Anti-automation (WASC-21):

Presence of the captcha in registration form (for protecting against automated registration) doesn't protect from automated login enumeration. The requests are sending to the script http://site/core/ajax/registration.php.


Timeline:

2013.07.14 - found multiple vulnerabilities in InstantCMS 1.10.1.
2013.07.19 - informed developers about first part of the vulnerabilities. Ignored.
2013.07.31 - informed developers about another part of the vulnerabilities. Answered, but refused to fix.
2013.08.02 - reminded developers about first letter with holes and explained why to fix them.
2013.08.02 - developers released InstantCMS 1.10.2 without fixing any informed vulnerabilities.
2013.09.24 - announced at my site.
2013.10.15 - developers released InstantCMS 1.10.3 without fixing any informed vulnerabilities.
2013.11.15 - disclosed at my site (http://websecurity.com.ua/6785/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua