Dear bugtraq,
Below is a digest of vulnerabilities in multiple CAPTCHA systems. All
vulnerabilities were reported by MustLive (websecurity.com.ua) during
"The Month of Bugs in CAPTCHA"
1. Peter’s Custom Anti-Spam Image < 2.9 (Wordpress plugin)
1.1 "antiselect" value can be guessed with 10% probability.
1.2 Same check pairs may be used for multiple postings
According to vendor both problems were addressed in Version 2.9.0 on
August 11, 2007
Original article: http://websecurity.com.ua/1501/
Exploit for 1.2: http://websecurity.com.ua/uploads/2007/MoBiC/Peter's%20Custom%20Anti-Spam%20Image%20CAPTCHA%20bypass.html
2. mt-scode CAPTCHA (plugin for Movable type and Drupal)
Same check pairs may be used for multiple postings
Original article: http://websecurity.com.ua/1516/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/mt-scode%20CAPTCHA%20bypass.html
3. PHP-Nuke <= 8.1
3.1 Same check pairs may be used for multiple postings/registrations
Original article: http://websecurity.com.ua/1527/
Exploit:
http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass.html
(posting)
http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass2.html
(registration)
3.2 NULL string CAPTCH bypass: if NULL string is given, CAPTCHA is
not validated.
Original article: http://websecurity.com.ua/1528/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass3.html
4. Peter’s Random Anti-Spam Image <= 0.2.4 (Wordpress plugin)
CAPTCHA may be bypassed by pre-generating possible image-code pairs.
Original article: http://websecurity.com.ua/1534/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Peter's%20Random%20Anti-Spam%20Image%20CAPTCHA%20bypass.html
5. Cryptographp <= 1.12 (Wordpress plugin)
It's possible to reuse same security code during session
Originale article: http://websecurity.com.ua/1551/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Cryptographp%20CAPTCHA%20bypass.html
6. PHP-Fusion / HBH-Fusion (version not reported) CAPTCHA bypass
It's possible to reuse same security code during session
Original article:
http://websecurity.com.ua/1558/ (PHP-Fusion)
http://websecurity.com.ua/1561/ (HBH-Fusion)
Exploit:
http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Fusion%20CAPTCHA%20bypass.html
(PHP-Fusion)
http://websecurity.com.ua/uploads/2007/MoBiC/HBH-Fusion%20CAPTCHA%20bypass.txt
(HBH-Fusion)
7. Nucleus <= 3.01 CAPTCHA bypass
7.1 CAPTCHA may be bypassed by pre-generating possible image-code pairs.
7.2 SQL injection vulnerability can be used to bypass CAPTCHA
Original article:
(7.1) http://websecurity.com.ua/1564/
(7.2) http://websecurity.com.ua/1565/
Exploit:
(7.1) http://websecurity.com.ua/uploads/2007/MoBiC/Nucleus%20CAPTCHA%20bypass.html
(7.2) http://websecurity.com.ua/uploads/2007/MoBiC/Nucleus%20CAPTCHA%20bypass2.html
8. Auto-Input Protection (AIP) <= 2.0 (for ASP.Net)
Same check pairs may be used for multiple postings
Original article: http://websecurity.com.ua/1568/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/AIP%20CAPTCHA%20bypass.html
Vendor's suggested workaround:
http://davesexton.com/blog/blogs/blog/archive/2007/12/12/aip-1-0-0-bypassed.aspx
9. Math Comment Spam Protection <= 2.1 (Wordpress plugin)
Same check pairs may be used for multiple postings
Original article: http://websecurity.com.ua/1575/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Math%20Comment%20Spam%20Protection%20CAPTCHA%20bypass.html
10. Anti Spam Image <= 0.5 (Wordpress plugin)
It's possible to reuse same security code during session
Original article: http://websecurity.com.ua/1584/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Anti%20Spam%20Image%20CAPTCHA%20bypass.html
11. Captcha! <= 2.5d (Wordpress plugin)
It's possible to bypass CAPTCHA by combining crossite request
forgery vulnerability with NULL string for security code.
Original article: http://websecurity.com.ua/1587/
Exploit:
http://websecurity.com.ua/uploads/2007/MoBiC/Captcha!%20CSRF.html
(crossite request forgery)
http://websecurity.com.ua/uploads/2007/MoBiC/Captcha!%20CAPTCHA%20bypass.html
(CAPTCHA bypass)
12. WP-ContactForm <= 2.0.7 (Wordpress plugin)
Same security code may be used for multiple times
Original article: http://websecurity.com.ua/1599/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20CAPTCHA%20bypass.html
13. Drupal (reCaptcha)
unique captcha_token parameter without recaptcha_response_field may
be used to bypass CAPTCHA.
Vulnerability is reported in reCaptcha plugin for Drupal, but
according to reCaptcha developers, vulnerability is in Drupal code.
Original article: http://websecurity.com.ua/1505/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/reCaptcha.txt
--
http://securityvulns.com/
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
|/
Below is a digest of vulnerabilities in multiple CAPTCHA systems. All
vulnerabilities were reported by MustLive (websecurity.com.ua) during
"The Month of Bugs in CAPTCHA"
1. Peter’s Custom Anti-Spam Image < 2.9 (Wordpress plugin)
1.1 "antiselect" value can be guessed with 10% probability.
1.2 Same check pairs may be used for multiple postings
According to vendor both problems were addressed in Version 2.9.0 on
August 11, 2007
Original article: http://websecurity.com.ua/1501/
Exploit for 1.2: http://websecurity.com.ua/uploads/2007/MoBiC/Peter's%20Custom%20Anti-Spam%20Image%20CAPTCHA%20bypass.html
2. mt-scode CAPTCHA (plugin for Movable type and Drupal)
Same check pairs may be used for multiple postings
Original article: http://websecurity.com.ua/1516/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/mt-scode%20CAPTCHA%20bypass.html
3. PHP-Nuke <= 8.1
3.1 Same check pairs may be used for multiple postings/registrations
Original article: http://websecurity.com.ua/1527/
Exploit:
http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass.html
(posting)
http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass2.html
(registration)
3.2 NULL string CAPTCH bypass: if NULL string is given, CAPTCHA is
not validated.
Original article: http://websecurity.com.ua/1528/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Nuke%20CAPTCHA%20bypass3.html
4. Peter’s Random Anti-Spam Image <= 0.2.4 (Wordpress plugin)
CAPTCHA may be bypassed by pre-generating possible image-code pairs.
Original article: http://websecurity.com.ua/1534/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Peter's%20Random%20Anti-Spam%20Image%20CAPTCHA%20bypass.html
5. Cryptographp <= 1.12 (Wordpress plugin)
It's possible to reuse same security code during session
Originale article: http://websecurity.com.ua/1551/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Cryptographp%20CAPTCHA%20bypass.html
6. PHP-Fusion / HBH-Fusion (version not reported) CAPTCHA bypass
It's possible to reuse same security code during session
Original article:
http://websecurity.com.ua/1558/ (PHP-Fusion)
http://websecurity.com.ua/1561/ (HBH-Fusion)
Exploit:
http://websecurity.com.ua/uploads/2007/MoBiC/PHP-Fusion%20CAPTCHA%20bypass.html
(PHP-Fusion)
http://websecurity.com.ua/uploads/2007/MoBiC/HBH-Fusion%20CAPTCHA%20bypass.txt
(HBH-Fusion)
7. Nucleus <= 3.01 CAPTCHA bypass
7.1 CAPTCHA may be bypassed by pre-generating possible image-code pairs.
7.2 SQL injection vulnerability can be used to bypass CAPTCHA
Original article:
(7.1) http://websecurity.com.ua/1564/
(7.2) http://websecurity.com.ua/1565/
Exploit:
(7.1) http://websecurity.com.ua/uploads/2007/MoBiC/Nucleus%20CAPTCHA%20bypass.html
(7.2) http://websecurity.com.ua/uploads/2007/MoBiC/Nucleus%20CAPTCHA%20bypass2.html
8. Auto-Input Protection (AIP) <= 2.0 (for ASP.Net)
Same check pairs may be used for multiple postings
Original article: http://websecurity.com.ua/1568/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/AIP%20CAPTCHA%20bypass.html
Vendor's suggested workaround:
http://davesexton.com/blog/blogs/blog/archive/2007/12/12/aip-1-0-0-bypassed.aspx
9. Math Comment Spam Protection <= 2.1 (Wordpress plugin)
Same check pairs may be used for multiple postings
Original article: http://websecurity.com.ua/1575/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Math%20Comment%20Spam%20Protection%20CAPTCHA%20bypass.html
10. Anti Spam Image <= 0.5 (Wordpress plugin)
It's possible to reuse same security code during session
Original article: http://websecurity.com.ua/1584/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/Anti%20Spam%20Image%20CAPTCHA%20bypass.html
11. Captcha! <= 2.5d (Wordpress plugin)
It's possible to bypass CAPTCHA by combining crossite request
forgery vulnerability with NULL string for security code.
Original article: http://websecurity.com.ua/1587/
Exploit:
http://websecurity.com.ua/uploads/2007/MoBiC/Captcha!%20CSRF.html
(crossite request forgery)
http://websecurity.com.ua/uploads/2007/MoBiC/Captcha!%20CAPTCHA%20bypass.html
(CAPTCHA bypass)
12. WP-ContactForm <= 2.0.7 (Wordpress plugin)
Same security code may be used for multiple times
Original article: http://websecurity.com.ua/1599/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20CAPTCHA%20bypass.html
13. Drupal (reCaptcha)
unique captcha_token parameter without recaptcha_response_field may
be used to bypass CAPTCHA.
Vulnerability is reported in reCaptcha plugin for Drupal, but
according to reCaptcha developers, vulnerability is in Drupal code.
Original article: http://websecurity.com.ua/1505/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/reCaptcha.txt
--
http://securityvulns.com/
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
|/