[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] CVE-2016-8600 dotCMS - CAPTCHA bypass by reusing valid code
Title: CVE-2016-8600 dotCMS - CAPTCHA bypass by reusing valid code
Credit: Elar Lang / https://security.elarlang.eu
Vulnerability: CAPTCHA bypass by re-using last loaded valid CAPTCHA code
Vulnerable version: before 3.6.0
Vendor/Product: dotCMS (http://dotcms.com/)
# Background and description
It's possible to re-use valid CAPTCHA code in dotCMS framework.
Last loaded CAPTCHA code is stored in session and CAPTCHA code is
renewed only when you reload image /Captcha.jpg from server. But if
you don't reload it, you can use previous valid CAPTCHA code till your
session is alive.
Problem was first announced with CRLF/Email Header Injection:
* link1: https://security.elarlang.eu/cve-2016-8600-dotcms-captcha-bypass-by-reusing-valid-code.html
* link2: http://seclists.org/fulldisclosure/2016/May/69
Attacker must first fill manually valid CAPTCHA code.
No other pre-conditions - no authentication or authorization needed.
You need to detect from a dotCMS server:
* valid CAPTCHA by loading /Captcha.jpg
* your session id (JSESSIONID) value
If some form asks CAPTCHA, you can use those 2 values for sending valid data.
Proof-of-Concept with a detailed description is available at:
# Vulnerability Disclosure Timeline
First I mentioned CAPTCHA reuse possibility in other reports
2015-12-07 | me > dotCMS | CAPTCHA reuse possibility is mentioned in
Email Header Injection description
2015-12-14 | me > dotCMS | asked feedback in other set of reported
As reported Email Header Injection and different SQL injections were
fixed and CAPTCHA reuse wasn't fixed, I Reported separately
2016-05-27 | me > dotCMS | description of CAPTCHA reuse process
2016-06-29 | me > dotCMS | any comments or feedback?
2016-07-06 | dotCMS > me | confirmed bug and opened issue
2016-07-06 | dotCMS | opened issue in GitHub | "Captcha can be
programmatically reused by passing session id #9330"
2016-07-07 | me > mitre.org | CVE requested .. no response
2016-09-02 | dotCMS | dotCMS version 3.6.0 release
2016-10-10 | me > mitre.org | CVE requested via web form
2016-10-11 | mitre.org > me | CVE-2016-8600 assigned
2016-10-17 | me | Full Disclosure on security.elarlang.eu
Update dotCMS at least to version 3.6.0
Issue description and timeline: https://github.com/dotCMS/core/issues/9330
Blog @ https://security.elarlang.eu
Pentester, lecturer @ http://www.clarifiedsecurity.com
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/