Home / vulnerabilitiesPDF  

captcha-digest.txt

Posted on 04 January 2008
Source : packetstormsecurity.org Link

 

Dear bugtraq,

Below is a digest of vulnerabilities in multiple CAPTCHA systems. All
vulnerabilities were reported by MustLive (websecurity.com.ua) during
"The Month of Bugs in CAPTCHA"

1. Peter’s Custom Anti-Spam Image < 2.9 (Wordpress plugin)

1.1 "antiselect" value can be guessed with 10% probability.
1.2 Same check pairs may be used for multiple postings

According to vendor both problems were addressed in Version 2.9.0 on
August 11, 2007

Original article: http://websecurity.com.ua/1501/
Exploit for 1.2: http://websecurity.com.ua/uploads/2007/MoBiC/Peter's%20Custom%20Anti-Spam%20Image%20CAPTCHA%20bypass.html

2. mt-scode CAPTCHA (plugin for Movable type and Drupal)

Same check pairs may be used for multiple postings

Original article: http://websecurity.com.ua/1516/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/mt-scode%20CAPTCHA%20bypass.html

3. PHP-Nuke <= 8.1

3.1 Same check pairs may be used for multiple postings/registrations

Original article: http://websecurity.com.ua/1527/
Exploit:
http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass.html
(posting)
http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass2.html
(registration)

3.2 NULL string CAPTCH bypass: if NULL string is given, CAPTCHA is
not validated.

Original article: http://websecurity.com.ua/1528/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass3.html

4. Peter’s Random Anti-Spam Image <= 0.2.4 (Wordpress plugin)

CAPTCHA may be bypassed by pre-generating possible image-code pairs.

Original article: http://websecurity.com.ua/1534/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Peter's%20Random%20Anti-Spam%20Image%20CAPTCHA%20bypass.html

5. Cryptographp <= 1.12 (Wordpress plugin)

It's possible to reuse same security code during session

Originale article: http://websecurity.com.ua/1551/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Cryptographp%20CAPTCHA%20bypass.html

6. PHP-Fusion / HBH-Fusion (version not reported) CAPTCHA bypass

It's possible to reuse same security code during session

Original article:
http://websecurity.com.ua/1558/ (PHP-Fusion)
http://websecurity.com.ua/1561/ (HBH-Fusion)
Exploit:
http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Fusion%20CAPTCHA%20bypass.html
(PHP-Fusion)
http://websecurity.com.ua/uploads/2007/MoBiC/HBH-Fusion%20CAPTCHA%20bypass.txt
(HBH-Fusion)

7. Nucleus <= 3.01 CAPTCHA bypass

7.1 CAPTCHA may be bypassed by pre-generating possible image-code pairs.
7.2 SQL injection vulnerability can be used to bypass CAPTCHA


Original article:
(7.1) http://websecurity.com.ua/1564/
(7.2) http://websecurity.com.ua/1565/
Exploit:
(7.1) http://websecurity.com.ua/uploads/2007/MoBiC/Nucleus%20CAPTCHA%20bypass.html
(7.2) http://websecurity.com.ua/uploads/2007/MoBiC/Nucleus%20CAPTCHA%20bypass2.html

8. Auto-Input Protection (AIP) <= 2.0 (for ASP.Net)

Same check pairs may be used for multiple postings

Original article: http://websecurity.com.ua/1568/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/AIP%20CAPTCHA%20bypass.html
Vendor's suggested workaround:
http://davesexton.com/blog/blogs/blog/archive/2007/12/12/aip-1-0-0-bypassed.aspx

9. Math Comment Spam Protection <= 2.1 (Wordpress plugin)

Same check pairs may be used for multiple postings

Original article: http://websecurity.com.ua/1575/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Math%20Comment%20Spam%20Protection%20CAPTCHA%20bypass.html

10. Anti Spam Image <= 0.5 (Wordpress plugin)

It's possible to reuse same security code during session

Original article: http://websecurity.com.ua/1584/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Anti%20Spam%20Image%20CAPTCHA%20bypass.html

11. Captcha! <= 2.5d (Wordpress plugin)

It's possible to bypass CAPTCHA by combining crossite request
forgery vulnerability with NULL string for security code.

Original article: http://websecurity.com.ua/1587/
Exploit:
http://websecurity.com.ua/uploads/2007/MoBiC/Captcha!%20CSRF.html
(crossite request forgery)
http://websecurity.com.ua/uploads/2007/MoBiC/Captcha!%20CAPTCHA%20bypass.html
(CAPTCHA bypass)

12. WP-ContactForm <= 2.0.7 (Wordpress plugin)

Same security code may be used for multiple times

Original article: http://websecurity.com.ua/1599/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20CAPTCHA%20bypass.html

13. Drupal (reCaptcha)

unique captcha_token parameter without recaptcha_response_field may
be used to bypass CAPTCHA.

Vulnerability is reported in reCaptcha plugin for Drupal, but
according to reCaptcha developers, vulnerability is in Drupal code.

Original article: http://websecurity.com.ua/1505/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/reCaptcha.txt




--
http://securityvulns.com/
/\_/\n{ , . } |\n+--oQQo->{ ^ }<-----+ \n| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
|/

 

TOP