[python-events] Fwd: To Report A Critical Vulnerability python.org

Ashish Patel patel.ashish874 at gmail.com
Tue Mar 31 11:00:48 CEST 2015


Greetings,

My Name is Ashish Patel. I am a young security researcher from india
while
surfing your website i have found a very serious
vulnerability known as brute force attack  that can lead your users data and
reputation attacks
if found by any malicious attacker.

Please
forward this email to
your technical department which take care of the website
   *http://www.python.org*

i reported issue with security team but they don't give any response from
their side that's
why i 've to sent this copy to you...

==>
python.org is also vulnerable to user enumeration bug in which i was able
to extract the

existing user’s into the python.org due to improper rate limiting
that was i reported  ahead..
so attacker will be giving problem’s to your existing customers
& steal their username and password...




[*] Issue :
      bruteforce



[*] reference about this ==>
https://www.owasp.org/index.php/Brute_Force_Testing_AoC#Brief_Summary

[*] Impact:

The attacker can successfully bruteforce the passwords on any users
acccount and this can

lead to account compromise.

[*] HERE is the POC (proof of concept )of this vulnerability:?

-------------------------------------------------------------------------------
==>
https://drive.google.com/file/d/0B8TWgFm5L9GEVHdKRDNFYm1aMzQ/view?usp=sharing
-------------------------------------------------------------------------------

[*] Recommendation:

The Length Code Value for Right & Wrong Passwords shall always be Same for
Any Users

Account.

Instead of user-agent based validation for enabling the rate limiting user
id shall be checked

for numbers of wrong password attempts.


So in this way, one can Bypass Rate Limting and can also compromise the
victims account also

this technique can be used to find same type of vulnerabilities on
different websites.
_________________________________________________________________________

I hope you will make the best use of the report and patch
the vulnerability in no time. For any further assistance feel
free to revert.

I will be happy to assist your team if you
need my
assistance.

Waiting for the acceptance of a suitable* remedy* for
reporting the
vulnerability.


thanks to all...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-events/attachments/20150331/56f8d00a/attachment.html>


More information about the python-events mailing list