[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vulnerabilities in phpCOIN

About Us:

It is with profound sorrow, sadness and regret, that COINSoft Technologies Inc. must announce the death of their lead developer Stephen M. Kitching (cantex) after a mercifully short battle with cancer.

Stephen was both an inspiration and good friend to everyone who knew and worked with him. He will be greatly missed, and his ingenuity and work will live on in the thoughts of all those, who were and will be touched, by the contributions he made to the software he dedicated his life to.

Our deepest sympathies, hearts and prayers go out to Steven's family and friends.


If I were a customer of theirs I'd be cutting them some slack. I'm just sayin'.

MustLive wrote:
Hello Bugtraq!

I want to warn you about security vulnerabilities in system phpCOIN.

Advisory: Vulnerabilities in phpCOIN
URL: http://websecurity.com.ua/4090/
Affected products: phpCOIN 1.6.5 and previous versions.
17.03.2010 - found vulnerabilities.
01.04.2010 - disclosed at my site.
02.04.2010 - informed developers.

These are Insufficient Anti-automation and Denial of Service

The vulnerabilities exist in captcha script CaptchaSecurityImages.php, which
is using in this system. I already reported about vulnerabilities in
CaptchaSecurityImages (http://websecurity.com.ua/4043/).

Insufficient Anti-automation:


Captcha bypass is possible via half-automated or automated (with using of
OCR) methods, which were mentioned before (http://websecurity.com.ua/4043/).



With setting of large values of width and height it's possible to create
large load at the server.

Best wishes & regards,
Administrator of Websecurity web site