[python-events] To Report A Critical Vulnerability python.org
Steve Holden
steve at holdenweb.com
Tue Mar 31 12:27:58 CEST 2015
Hi Ashish,
Thank you for your note. I am also on the webmasters list, and so saw your previous email concerning user enumeration, to which I have to say I fell you received an entirely adequate and respectful reply. I never saw any response from you to Marc-Andre's reply to the effect that this vulnerability was less severe (in the case of Python.org) than you appear to believe. Remember that the
If you are able to enumerate the users of the python.org site please demonstrate this capability by providing us with a list of the details that you have extracted (which we can verify with the web team). Otherwise you would appear to be talking about a technical vulnerability with little in the way of practical exploits.
Further, this email address is no more appropriate for reporting web site issues than webmaster at . I have Bcc'd one of the primary developers to be sure that the security issue is as restricted as we believe. You should receive further contact if this relates to an active issue or one which is felt to be an immediate concern.
I agree that the password refresh request failure message referred to in your original email would be better phrased so that it did not reveal the absence or presence of a particular email address as a user on the site. I am sure that as a security researcher you will be aware that this is only the first step in any attempt at compromise, and that awareness of a user name/email still requires the correct password for that account before anything other than public access is obtained. However, it certainly won't hurt to request that small change. I was under the impression that the sire contained a link to the appropriate issue-tracking site, but I am currently unable to find it and so may be mistaken.
Since you give no details of the brute force attack you mention you will perhaps realize that support for your original claim will improve the reception of any further reports. It's not that we don't want to listen, it's simply that we need to engage in a dialog, and if we tell you we don't think there's a problem we do have quite a lot of experience we bring to bear in making such a determination. This does not necessarily mean you are wrong, simply that so far the evidence has failed to convince us. I do not wish to disparage your efforts since you are clearly trying to help, for which we are grateful.
regards
Steve
On Mar 31, 2015, at 2:00 AM, Ashish Patel <patel.ashish874 at gmail.com> wrote:
> Greetings,
>
> My Name is Ashish Patel. I am a young security researcher from india
> while
> surfing your website i have found a very serious
> vulnerability known as brute force attack that can lead your users data and
> reputation attacks
> if found by any malicious attacker.
>
> Please
> forward this email to
> your technical department which take care of the website
> *http://www.python.org*
>
> i reported issue with security team but they don't give any response from their side that's
> why i 've to sent this copy to you...
>
> ==>
> python.org is also vulnerable to user enumeration bug in which i was able to extract the
>
> existing user’s into the python.org due to improper rate limiting
> that was i reported ahead..
> so attacker will be giving problem’s to your existing customers
> & steal their username and password...
>
>
>
>
> [*] Issue :
> bruteforce
>
>
>
> [*] reference about this ==>
> https://www.owasp.org/index.php/Brute_Force_Testing_AoC#Brief_Summary
>
> [*] Impact:
>
> The attacker can successfully bruteforce the passwords on any users acccount and this can
>
> lead to account compromise.
>
> [*] HERE is the POC (proof of concept )of this vulnerability:?
>
> -------------------------------------------------------------------------------
> ==>https://drive.google.com/file/d/0B8TWgFm5L9GEVHdKRDNFYm1aMzQ/view?usp=sharing
> -------------------------------------------------------------------------------
>
> [*] Recommendation:
>
> The Length Code Value for Right & Wrong Passwords shall always be Same for Any Users
>
> Account.
>
> Instead of user-agent based validation for enabling the rate limiting user id shall be checked
>
> for numbers of wrong password attempts.
>
>
> So in this way, one can Bypass Rate Limting and can also compromise the victims account also
>
> this technique can be used to find same type of vulnerabilities on different websites.
> _________________________________________________________________________
>
> I hope you will make the best use of the report and patch
> the vulnerability in no time. For any further assistance feel
> free to revert.
>
> I will be happy to assist your team if you
> need my
> assistance.
>
> Waiting for the acceptance of a suitable* remedy* for
> reporting the
> vulnerability.
>
>
> thanks to all...
--
Steve Holden steve at holdenweb.com / +1 571 484 6266 / +44 113 320 2335 / @holdenweb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-events/attachments/20150331/d09b1fc0/attachment.html>
More information about the python-events
mailing list