Hello list! These are Login Enumeration, Brute Force and Insufficient Anti-automation vulnerabilities in Catapulta I.W. Edition. This is commercial CMS. It's used at web site of one presidential contender in Ukraine (the elections were last Sunday), where I found these vulnerabilities at 28.01.2014. This politic never cared about security of his web site and his site was hacked in 2009, so no surprise he used vulnerable CMS this year too and still haven't fixed holes - as these ones, as many others. There are many interesting Information Leakage vulnerabilities at that web site, but as I found they are related to site configuration or non-default CMS configuration and are not present at other sites on Catapulta. ------------------------- Affected products: ------------------------- Vulnerable are all versions of Catapulta I.W. Edition. ------------------------- Affected vendors: ------------------------- Pula Design - developer of Catapulta. http://pula.com.ua ---------- Details: ---------- Login Enumeration (WASC-42): http://site/admin/login.php Different answers allow to enumerate logins in the system. Brute Force (WASC-11): http://site/admin/login.php There is no protection from Brute Force attacks. Insufficient Anti-automation (WASC-21): In contact form (http://site/messageadmin.html) there is no protection against automated attacks. ------------ Timeline: ------------ 2014.02.28 - announced at my site. 2014.03.07 - informed developers. Ignored. 2014.05.30 - disclosed at my site (http://websecurity.com.ua/7033/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua