Title: CVE-2016-8600 dotCMS - CAPTCHA bypass by reusing valid code
Credit: Elar Lang / https://security.elarlang.eu
Vulnerability: CAPTCHA bypass by re-using last loaded valid CAPTCHA code
Vulnerable version: before 3.6.0
CVE: CVE-2016-8600
Vendor/Product: dotCMS (http://dotcms.com/)


# Background and description

It's possible to re-use valid CAPTCHA code in dotCMS framework.

Last loaded CAPTCHA code is stored in session and CAPTCHA code is
renewed only when you reload image /Captcha.jpg from server. But if
you don't reload it, you can use previous valid CAPTCHA code till your
session is alive.

Problem was first announced with CRLF/Email Header Injection:
* link1: https://security.elarlang.eu/cve-2016-8600-dotcms-captcha-bypass-by-reusing-valid-code.html
* link2: http://seclists.org/fulldisclosure/2016/May/69


# Preconditions

Attacker must first fill manually valid CAPTCHA code.

No other pre-conditions - no authentication or authorization needed.


# Proof-of-Concept

You need to detect from a dotCMS server:
* valid CAPTCHA by loading /Captcha.jpg
* your session id (JSESSIONID) value

If some form asks CAPTCHA, you can use those 2 values for sending valid data.

Proof-of-Concept with a detailed description is available at:
https://security.elarlang.eu/cve-2016-8600-dotcms-captcha-bypass-by-reusing-valid-code.html


# Vulnerability Disclosure Timeline

First I mentioned CAPTCHA reuse possibility in other reports

2015-12-07 | me > dotCMS | CAPTCHA reuse possibility is mentioned in
Email Header Injection description
2015-12-14 | me > dotCMS | asked feedback in other set of reported
vulnerabilities

As reported Email Header Injection and different SQL injections were
fixed and CAPTCHA reuse wasn't fixed, I Reported separately

2016-05-27 | me > dotCMS | description of CAPTCHA reuse process
2016-06-29 | me > dotCMS | any comments or feedback?
2016-07-06 | dotCMS > me | confirmed bug and opened issue
2016-07-06 | dotCMS | opened issue in GitHub | "Captcha can be
programmatically reused by passing session id #9330"
2016-07-07 | me > mitre.org | CVE requested .. no response
2016-09-02 | dotCMS | dotCMS version 3.6.0 release
2016-10-10 | me > mitre.org | CVE requested via web form
2016-10-11 | mitre.org > me | CVE-2016-8600 assigned
2016-10-17 | me | Full Disclosure on security.elarlang.eu


# Fixes
Update dotCMS at least to version 3.6.0

Issue description and timeline: https://github.com/dotCMS/core/issues/9330

--
Elar Lang
Blog @ https://security.elarlang.eu
Pentester, lecturer @ http://www.clarifiedsecurity.com