TUCoPS :: Web :: General :: bu-2074.htm

CaptchaSecurityImages vulnerability
Vulnerabilities in CaptchaSecurityImages
Vulnerabilities in CaptchaSecurityImages

Hello Bugtraq!

I want to warn you about security vulnerabilities in CaptchaSecurityImages.
It's captcha script which is using at many web sites and engines.

Advisory: Vulnerabilities in CaptchaSecurityImages
URL: http://websecurity.com.ua/4043/ 
06.10.2007 - found Insufficient Anti-automation vulnerability, during
conducting of my project Month of Bugs in Captchas
17.09.2009 - found Denial of Service vulnerability.
17.03.2010 - disclosed at my site.
18.03.2010 - informed developers.

These are Insufficient Anti-automation and Denial of Service

Insufficient Anti-automation:

Parameters characters, width and height fall under manipulation in the
captcha. They can be set in such way, that will allow easy bypass of the
captcha via half-automated or automated (with using of OCR) methods. And in
some systems (http://websecurity.com.ua/4046/) it's also possible to use 
session reusing with constant captcha bypass method.


In that way it's possible to set two characters and increase the size of the



With setting of large values of width and height it's possible to create
large load at the server.

Best wishes & regards,
Administrator of Websecurity web site

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH