[python-events] Fwd: To Report A Critical Vulnerability python.org
Ashish Patel
patel.ashish874 at gmail.com
Tue Mar 31 11:00:48 CEST 2015
Greetings,
My Name is Ashish Patel. I am a young security researcher from india
while
surfing your website i have found a very serious
vulnerability known as brute force attack that can lead your users data and
reputation attacks
if found by any malicious attacker.
Please
forward this email to
your technical department which take care of the website
*http://www.python.org*
i reported issue with security team but they don't give any response from
their side that's
why i 've to sent this copy to you...
==>
python.org is also vulnerable to user enumeration bug in which i was able
to extract the
existing user’s into the python.org due to improper rate limiting
that was i reported ahead..
so attacker will be giving problem’s to your existing customers
& steal their username and password...
[*] Issue :
bruteforce
[*] reference about this ==>
https://www.owasp.org/index.php/Brute_Force_Testing_AoC#Brief_Summary
[*] Impact:
The attacker can successfully bruteforce the passwords on any users
acccount and this can
lead to account compromise.
[*] HERE is the POC (proof of concept )of this vulnerability:?
-------------------------------------------------------------------------------
==>
https://drive.google.com/file/d/0B8TWgFm5L9GEVHdKRDNFYm1aMzQ/view?usp=sharing
-------------------------------------------------------------------------------
[*] Recommendation:
The Length Code Value for Right & Wrong Passwords shall always be Same for
Any Users
Account.
Instead of user-agent based validation for enabling the rate limiting user
id shall be checked
for numbers of wrong password attempts.
So in this way, one can Bypass Rate Limting and can also compromise the
victims account also
this technique can be used to find same type of vulnerabilities on
different websites.
_________________________________________________________________________
I hope you will make the best use of the report and patch
the vulnerability in no time. For any further assistance feel
free to revert.
I will be happy to assist your team if you
need my
assistance.
Waiting for the acceptance of a suitable* remedy* for
reporting the
vulnerability.
thanks to all...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-events/attachments/20150331/56f8d00a/attachment.html>
More information about the python-events
mailing list