exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

captcha-digest.txt

captcha-digest.txt
Posted Jan 3, 2008
Site securityvulns.com

This is a digest of vulnerabilities in multiple CAPTCHA systems. All vulnerabilities were reported by MustLive (websecurity.com.ua) during "The Month of Bugs in CAPTCHA".

tags | advisory, vulnerability
SHA-256 | adaa16c646d52d2707086c3479e4468849e4cbe4212de06171be88d05378d350

captcha-digest.txt

Change Mirror Download
Dear bugtraq,

Below is a digest of vulnerabilities in multiple CAPTCHA systems. All
vulnerabilities were reported by MustLive (websecurity.com.ua) during
"The Month of Bugs in CAPTCHA"

1. Peter’s Custom Anti-Spam Image < 2.9 (Wordpress plugin)

1.1 "antiselect" value can be guessed with 10% probability.
1.2 Same check pairs may be used for multiple postings

According to vendor both problems were addressed in Version 2.9.0 on
August 11, 2007

Original article: http://websecurity.com.ua/1501/
Exploit for 1.2: http://websecurity.com.ua/uploads/2007/MoBiC/Peter's%20Custom%20Anti-Spam%20Image%20CAPTCHA%20bypass.html

2. mt-scode CAPTCHA (plugin for Movable type and Drupal)

Same check pairs may be used for multiple postings

Original article: http://websecurity.com.ua/1516/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/mt-scode%20CAPTCHA%20bypass.html

3. PHP-Nuke <= 8.1

3.1 Same check pairs may be used for multiple postings/registrations

Original article: http://websecurity.com.ua/1527/
Exploit:
http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass.html
(posting)
http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass2.html
(registration)

3.2 NULL string CAPTCH bypass: if NULL string is given, CAPTCHA is
not validated.

Original article: http://websecurity.com.ua/1528/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass3.html

4. Peter’s Random Anti-Spam Image <= 0.2.4 (Wordpress plugin)

CAPTCHA may be bypassed by pre-generating possible image-code pairs.

Original article: http://websecurity.com.ua/1534/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Peter's%20Random%20Anti-Spam%20Image%20CAPTCHA%20bypass.html

5. Cryptographp <= 1.12 (Wordpress plugin)

It's possible to reuse same security code during session

Originale article: http://websecurity.com.ua/1551/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Cryptographp%20CAPTCHA%20bypass.html

6. PHP-Fusion / HBH-Fusion (version not reported) CAPTCHA bypass

It's possible to reuse same security code during session

Original article:
http://websecurity.com.ua/1558/ (PHP-Fusion)
http://websecurity.com.ua/1561/ (HBH-Fusion)
Exploit:
http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Fusion%20CAPTCHA%20bypass.html
(PHP-Fusion)
http://websecurity.com.ua/uploads/2007/MoBiC/HBH-Fusion%20CAPTCHA%20bypass.txt
(HBH-Fusion)

7. Nucleus <= 3.01 CAPTCHA bypass

7.1 CAPTCHA may be bypassed by pre-generating possible image-code pairs.
7.2 SQL injection vulnerability can be used to bypass CAPTCHA


Original article:
(7.1) http://websecurity.com.ua/1564/
(7.2) http://websecurity.com.ua/1565/
Exploit:
(7.1) http://websecurity.com.ua/uploads/2007/MoBiC/Nucleus%20CAPTCHA%20bypass.html
(7.2) http://websecurity.com.ua/uploads/2007/MoBiC/Nucleus%20CAPTCHA%20bypass2.html

8. Auto-Input Protection (AIP) <= 2.0 (for ASP.Net)

Same check pairs may be used for multiple postings

Original article: http://websecurity.com.ua/1568/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/AIP%20CAPTCHA%20bypass.html
Vendor's suggested workaround:
http://davesexton.com/blog/blogs/blog/archive/2007/12/12/aip-1-0-0-bypassed.aspx

9. Math Comment Spam Protection <= 2.1 (Wordpress plugin)

Same check pairs may be used for multiple postings

Original article: http://websecurity.com.ua/1575/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Math%20Comment%20Spam%20Protection%20CAPTCHA%20bypass.html

10. Anti Spam Image <= 0.5 (Wordpress plugin)

It's possible to reuse same security code during session

Original article: http://websecurity.com.ua/1584/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Anti%20Spam%20Image%20CAPTCHA%20bypass.html

11. Captcha! <= 2.5d (Wordpress plugin)

It's possible to bypass CAPTCHA by combining crossite request
forgery vulnerability with NULL string for security code.

Original article: http://websecurity.com.ua/1587/
Exploit:
http://websecurity.com.ua/uploads/2007/MoBiC/Captcha!%20CSRF.html
(crossite request forgery)
http://websecurity.com.ua/uploads/2007/MoBiC/Captcha!%20CAPTCHA%20bypass.html
(CAPTCHA bypass)

12. WP-ContactForm <= 2.0.7 (Wordpress plugin)

Same security code may be used for multiple times

Original article: http://websecurity.com.ua/1599/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20CAPTCHA%20bypass.html

13. Drupal (reCaptcha)

unique captcha_token parameter without recaptcha_response_field may
be used to bypass CAPTCHA.

Vulnerability is reported in reCaptcha plugin for Drupal, but
according to reCaptcha developers, vulnerability is in Drupal code.

Original article: http://websecurity.com.ua/1505/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/reCaptcha.txt




--
http://securityvulns.com/
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
|/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close