dotCMS CAPTCHA Bypass

2016.10.20
Credit: Elar Lang
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2016-8600
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Title: CVE-2016-8600 dotCMS - CAPTCHA bypass by reusing valid code Credit: Elar Lang / https://security.elarlang.eu Vulnerability: CAPTCHA bypass by re-using last loaded valid CAPTCHA code Vulnerable version: before 3.6.0 CVE: CVE-2016-8600 Vendor/Product: dotCMS (http://dotcms.com/) # Background and description It's possible to re-use valid CAPTCHA code in dotCMS framework. Last loaded CAPTCHA code is stored in session and CAPTCHA code is renewed only when you reload image /Captcha.jpg from server. But if you don't reload it, you can use previous valid CAPTCHA code till your session is alive. Problem was first announced with CRLF/Email Header Injection: * link1: https://security.elarlang.eu/cve-2016-8600-dotcms-captcha-bypass-by-reusing-valid-code.html * link2: http://seclists.org/fulldisclosure/2016/May/69 # Preconditions Attacker must first fill manually valid CAPTCHA code. No other pre-conditions - no authentication or authorization needed. # Proof-of-Concept You need to detect from a dotCMS server: * valid CAPTCHA by loading /Captcha.jpg * your session id (JSESSIONID) value If some form asks CAPTCHA, you can use those 2 values for sending valid data. Proof-of-Concept with a detailed description is available at: https://security.elarlang.eu/cve-2016-8600-dotcms-captcha-bypass-by-reusing-valid-code.html # Vulnerability Disclosure Timeline First I mentioned CAPTCHA reuse possibility in other reports 2015-12-07 | me > dotCMS | CAPTCHA reuse possibility is mentioned in Email Header Injection description 2015-12-14 | me > dotCMS | asked feedback in other set of reported vulnerabilities As reported Email Header Injection and different SQL injections were fixed and CAPTCHA reuse wasn't fixed, I Reported separately 2016-05-27 | me > dotCMS | description of CAPTCHA reuse process 2016-06-29 | me > dotCMS | any comments or feedback? 2016-07-06 | dotCMS > me | confirmed bug and opened issue 2016-07-06 | dotCMS | opened issue in GitHub | "Captcha can be programmatically reused by passing session id #9330" 2016-07-07 | me > mitre.org | CVE requested .. no response 2016-09-02 | dotCMS | dotCMS version 3.6.0 release 2016-10-10 | me > mitre.org | CVE requested via web form 2016-10-11 | mitre.org > me | CVE-2016-8600 assigned 2016-10-17 | me | Full Disclosure on security.elarlang.eu # Fixes Update dotCMS at least to version 3.6.0 Issue description and timeline: https://github.com/dotCMS/core/issues/9330 -- Elar Lang Blog @ https://security.elarlang.eu Pentester, lecturer @ http://www.clarifiedsecurity.com

References:

https://github.com/dotCMS/core/issues/9330


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top