TUCoPS :: Web :: General :: bx1284.htm

CAPTCHA automation test bypass digest
multiple CAPTCHA automation test bypass digest
multiple CAPTCHA automation test bypass digest


Dear bugtraq,

  Below  is a digest of vulnerabilities in multiple CAPTCHA systems. All
  vulnerabilities  were reported by MustLive (websecurity.com.ua) during
  "The Month of Bugs in CAPTCHA"

1. Peter=92s Custom Anti-Spam Image < 2.9 (Wordpress plugin)

   1.1 "antiselect" value can be guessed with 10% probability.
   1.2 Same check pairs may be used for multiple postings

   According  to vendor both problems were addressed in Version 2.9.0 on
   August 11, 2007

Original article: http://websecurity.com.ua/1501/ 
Exploit for 1.2: http://websecurity.com.ua/uploads/2007/MoBiC/Peter's%20Custom%20Anti-Spam%20Image%20CAPTCHA%20bypass.html 

2. mt-scode CAPTCHA (plugin for Movable type and Drupal)

   Same check pairs may be used for multiple postings

Original article: http://websecurity.com.ua/1516/ 
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/mt-scode%20CAPTCHA%20bypass.html 

3. PHP-Nuke <= 8.1

   3.1 Same check pairs may be used for multiple postings/registrations

Original article: http://websecurity.com.ua/1527/ 
   Exploit:
http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass.html 
           (posting)
http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass2.html 
           (registration)

   3.2  NULL  string  CAPTCH bypass: if NULL string is given, CAPTCHA is
   not validated.

Original article: http://websecurity.com.ua/1528/ 
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass3.html 

4. Peter=92s Random Anti-Spam Image <= 0.2.4 (Wordpress plugin)

   CAPTCHA may be bypassed by pre-generating possible image-code pairs.

Original article: http://websecurity.com.ua/1534/ 
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Peter's%20Random%20Anti-Spam%20Image%20CAPTCHA%20bypass.html 

5. Cryptographp <= 1.12 (Wordpress plugin)

   It's possible to reuse same security code during session

Originale article: http://websecurity.com.ua/1551/ 
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Cryptographp%20CAPTCHA%20bypass.html 

6. PHP-Fusion / HBH-Fusion (version not reported) CAPTCHA bypass

   It's possible to reuse same security code during session

   Original article:
http://websecurity.com.ua/1558/ (PHP-Fusion) 
http://websecurity.com.ua/1561/ (HBH-Fusion) 
   Exploit:
http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Fusion%20CAPTCHA%20bypass.html 
            (PHP-Fusion)
http://websecurity.com.ua/uploads/2007/MoBiC/HBH-Fusion%20CAPTCHA%20bypass.txt 
            (HBH-Fusion)
            
7. Nucleus  <= 3.01 CAPTCHA bypass

   7.1 CAPTCHA may be bypassed by pre-generating possible image-code pairs.
   7.2 SQL injection vulnerability can be used to bypass CAPTCHA
   

   Original article:
(7.1) http://websecurity.com.ua/1564/ 
(7.2) http://websecurity.com.ua/1565/ 
   Exploit:
(7.1) http://websecurity.com.ua/uploads/2007/MoBiC/Nucleus%20CAPTCHA%20bypass.html 
(7.2) http://websecurity.com.ua/uploads/2007/MoBiC/Nucleus%20CAPTCHA%20bypass2.html 

8. Auto-Input Protection (AIP) <= 2.0 (for ASP.Net)

   Same check pairs may be used for multiple postings

Original article: http://websecurity.com.ua/1568/ 
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/AIP%20CAPTCHA%20bypass.html 
   Vendor's suggested workaround:
http://davesexton.com/blog/blogs/blog/archive/2007/12/12/aip-1-0-0-bypassed.aspx 

9. Math Comment Spam Protection  <= 2.1 (Wordpress plugin)

   Same check pairs may be used for multiple postings

Original article: http://websecurity.com.ua/1575/ 
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Math%20Comment%20Spam%20Protection%20CAPTCHA%20bypass.html 

10. Anti Spam Image <= 0.5 (Wordpress plugin)

   It's possible to reuse same security code during session

Original article: http://websecurity.com.ua/1584/ 
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Anti%20Spam%20Image%20CAPTCHA%20bypass.html 

11. Captcha! <= 2.5d (Wordpress plugin)

    It's  possible  to  bypass  CAPTCHA  by  combining  crossite request
    forgery vulnerability with NULL string for security code.

Original article: http://websecurity.com.ua/1587/ 
    Exploit:
http://websecurity.com.ua/uploads/2007/MoBiC/Captcha!%20CSRF.html 
            (crossite request forgery)
http://websecurity.com.ua/uploads/2007/MoBiC/Captcha!%20CAPTCHA%20bypass.html 
            (CAPTCHA bypass)
    
12. WP-ContactForm <= 2.0.7 (Wordpress plugin)

    Same security code may be used for multiple times

Original article: http://websecurity.com.ua/1599/ 
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20CAPTCHA%20bypass.html 

13. Drupal (reCaptcha)

    unique  captcha_token parameter without recaptcha_response_field may
    be used to bypass CAPTCHA.

    Vulnerability  is  reported  in  reCaptcha  plugin  for  Drupal, but
    according to reCaptcha developers, vulnerability is in Drupal code.

Original article: http://websecurity.com.ua/1505/ 
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/reCaptcha.txt 

    
    
   
-- 
http://securityvulns.com/ 
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
                    |/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH