Dear bugtraq,

  Below  is a digest of vulnerabilities in multiple CAPTCHA systems. All
  vulnerabilities  were reported by MustLive (websecurity.com.ua) during
  "The Month of Bugs in CAPTCHA"

1. Peter’s Custom Anti-Spam Image < 2.9 (Wordpress plugin)

   1.1 "antiselect" value can be guessed with 10% probability.
   1.2 Same check pairs may be used for multiple postings

   According  to vendor both problems were addressed in Version 2.9.0 on
   August 11, 2007

   Original article: http://websecurity.com.ua/1501/
   Exploit for 1.2: http://websecurity.com.ua/uploads/2007/MoBiC/Peter's%20Custom%20Anti-Spam%20Image%20CAPTCHA%20bypass.html

2. mt-scode CAPTCHA (plugin for Movable type and Drupal)

   Same check pairs may be used for multiple postings

   Original article: http://websecurity.com.ua/1516/
   Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/mt-scode%20CAPTCHA%20bypass.html

3. PHP-Nuke <= 8.1

   3.1 Same check pairs may be used for multiple postings/registrations

   Original article: http://websecurity.com.ua/1527/
   Exploit:
           http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass.html
           (posting)
           http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass2.html
           (registration)

   3.2  NULL  string  CAPTCH bypass: if NULL string is given, CAPTCHA is
   not validated.

   Original article: http://websecurity.com.ua/1528/
   Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass3.html

4. Peter’s Random Anti-Spam Image <= 0.2.4 (Wordpress plugin)

   CAPTCHA may be bypassed by pre-generating possible image-code pairs.

   Original article: http://websecurity.com.ua/1534/
   Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Peter's%20Random%20Anti-Spam%20Image%20CAPTCHA%20bypass.html

5. Cryptographp <= 1.12 (Wordpress plugin)

   It's possible to reuse same security code during session

   Originale article: http://websecurity.com.ua/1551/
   Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Cryptographp%20CAPTCHA%20bypass.html

6. PHP-Fusion / HBH-Fusion (version not reported) CAPTCHA bypass

   It's possible to reuse same security code during session

   Original article:
            http://websecurity.com.ua/1558/ (PHP-Fusion)
            http://websecurity.com.ua/1561/ (HBH-Fusion)
   Exploit:
            http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Fusion%20CAPTCHA%20bypass.html
            (PHP-Fusion)
            http://websecurity.com.ua/uploads/2007/MoBiC/HBH-Fusion%20CAPTCHA%20bypass.txt
            (HBH-Fusion)
            
7. Nucleus  <= 3.01 CAPTCHA bypass

   7.1 CAPTCHA may be bypassed by pre-generating possible image-code pairs.
   7.2 SQL injection vulnerability can be used to bypass CAPTCHA
   

   Original article:
            (7.1) http://websecurity.com.ua/1564/
            (7.2) http://websecurity.com.ua/1565/
   Exploit:
            (7.1) http://websecurity.com.ua/uploads/2007/MoBiC/Nucleus%20CAPTCHA%20bypass.html
            (7.2) http://websecurity.com.ua/uploads/2007/MoBiC/Nucleus%20CAPTCHA%20bypass2.html

8. Auto-Input Protection (AIP) <= 2.0 (for ASP.Net)

   Same check pairs may be used for multiple postings

   Original article:   http://websecurity.com.ua/1568/
   Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/AIP%20CAPTCHA%20bypass.html
   Vendor's suggested workaround:
   http://davesexton.com/blog/blogs/blog/archive/2007/12/12/aip-1-0-0-bypassed.aspx

9. Math Comment Spam Protection  <= 2.1 (Wordpress plugin)

   Same check pairs may be used for multiple postings

   Original article: http://websecurity.com.ua/1575/
   Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Math%20Comment%20Spam%20Protection%20CAPTCHA%20bypass.html

10. Anti Spam Image <= 0.5 (Wordpress plugin)

   It's possible to reuse same security code during session

   Original article: http://websecurity.com.ua/1584/
   Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Anti%20Spam%20Image%20CAPTCHA%20bypass.html

11. Captcha! <= 2.5d (Wordpress plugin)

    It's  possible  to  bypass  CAPTCHA  by  combining  crossite request
    forgery vulnerability with NULL string for security code.

    Original article: http://websecurity.com.ua/1587/
    Exploit:
            http://websecurity.com.ua/uploads/2007/MoBiC/Captcha!%20CSRF.html
            (crossite request forgery)
            http://websecurity.com.ua/uploads/2007/MoBiC/Captcha!%20CAPTCHA%20bypass.html
            (CAPTCHA bypass)
    
12. WP-ContactForm <= 2.0.7 (Wordpress plugin)

    Same security code may be used for multiple times

    Original article: http://websecurity.com.ua/1599/
    Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20CAPTCHA%20bypass.html

13. Drupal (reCaptcha)

    unique  captcha_token parameter without recaptcha_response_field may
    be used to bypass CAPTCHA.

    Vulnerability  is  reported  in  reCaptcha  plugin  for  Drupal, but
    according to reCaptcha developers, vulnerability is in Drupal code.

    Original article: http://websecurity.com.ua/1505/
    Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/reCaptcha.txt

    
    
   
-- 
http://securityvulns.com/
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
                    |/