Vulners
Lucene search
dotCMS CAPTCHA Bypass Vulnerability
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | CVE-2016-8600 | 19 Oct 201620:47 | – | circl |
 | DotCMS Security Bypass Vulnerability | 24 Oct 201600:00 | – | cnvd |
 | CVE-2016-8600 | 28 Oct 201615:00 | – | cve |
 | CVE-2016-8600 | 28 Oct 201615:00 | – | cvelist |
 | EUVD-2016-9447 | 7 Oct 202500:30 | – | euvd |
 | CVE-2016-8600 | 28 Oct 201615:59 | – | nvd |
 | CVE-2016-8600 | 28 Oct 201615:59 | – | osv |
 | Code injection | 28 Oct 201615:59 | – | prion |
Title: CVE-2016-8600 dotCMS - CAPTCHA bypass by reusing valid code
Credit: Elar Lang / https://security.elarlang.eu
Vulnerability: CAPTCHA bypass by re-using last loaded valid CAPTCHA code
Vulnerable version: before 3.6.0
CVE: CVE-2016-8600
Vendor/Product: dotCMS (http://dotcms.com/)
# Background and description
It's possible to re-use valid CAPTCHA code in dotCMS framework.
Last loaded CAPTCHA code is stored in session and CAPTCHA code is
renewed only when you reload image /Captcha.jpg from server. But if
you don't reload it, you can use previous valid CAPTCHA code till your
session is alive.
Problem was first announced with CRLF/Email Header Injection:
* link1: https://security.elarlang.eu/cve-2016-8600-dotcms-captcha-bypass-by-reusing-valid-code.html
* link2: http://seclists.org/fulldisclosure/2016/May/69
# Preconditions
Attacker must first fill manually valid CAPTCHA code.
No other pre-conditions - no authentication or authorization needed.
# Proof-of-Concept
You need to detect from a dotCMS server:
* valid CAPTCHA by loading /Captcha.jpg
* your session id (JSESSIONID) value
If some form asks CAPTCHA, you can use those 2 values for sending valid data.
Proof-of-Concept with a detailed description is available at:
https://security.elarlang.eu/cve-2016-8600-dotcms-captcha-bypass-by-reusing-valid-code.html
# Vulnerability Disclosure Timeline
First I mentioned CAPTCHA reuse possibility in other reports
2015-12-07 | me > dotCMS | CAPTCHA reuse possibility is mentioned in
Email Header Injection description
2015-12-14 | me > dotCMS | asked feedback in other set of reported
vulnerabilities
As reported Email Header Injection and different SQL injections were
fixed and CAPTCHA reuse wasn't fixed, I Reported separately
2016-05-27 | me > dotCMS | description of CAPTCHA reuse process
2016-06-29 | me > dotCMS | any comments or feedback?
2016-07-06 | dotCMS > me | confirmed bug and opened issue
2016-07-06 | dotCMS | opened issue in GitHub | "Captcha can be
programmatically reused by passing session id #9330"
2016-07-07 | me > mitre.org | CVE requested .. no response
2016-09-02 | dotCMS | dotCMS version 3.6.0 release
2016-10-10 | me > mitre.org | CVE requested via web form
2016-10-11 | mitre.org > me | CVE-2016-8600 assigned
2016-10-17 | me | Full Disclosure on security.elarlang.eu
# Fixes
Update dotCMS at least to version 3.6.0
Issue description and timeline: https://github.com/dotCMS/core/issues/9330
# 0day.today [2018-04-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Oct 2016 00:00Current
7.7High risk
Vulners AI Score7.7
EPSS0.00867