MoBiC-03: Peter’s Custom Anti-Spam Image CAPTCHA bypass

22:40 03.11.2007

Next participant of the project is Peter’s Custom Anti-Spam Image. It is captcha plugin for WordPress.

Statistics at wordpress.org said that this plugin was downloaded 4571 times. And taking into account that this plugin also can be downloaded from others sources, so total amount of downloads and sites which use this plugin is much more. So there are many thousands of sites which are in risk with this plugin.

This captcha is vulnerable for two methods of bypassing. These Insufficient Anti-automation holes I found 12.10.2007 (I found them already in August and in October I just wrote working exploit).

1. Constant values bypass method.

Captcha has only 10 values (constant): from antiselect=1 to antiselect=10. So it’s easy for program to find out what is the code needed for current captcha from parameter’s value.

2. MustLive CAPTCHA bypass method.

For bypassing you need to use the same securitycode and matchthis values many times (for every post). This is my mine CAPTCHA bypass method. It’s very effective bypass method.

Insufficient Anti-automation:

Peter’s Custom Anti-Spam Image CAPTCHA bypass.html

This exploit for educational purposes only.

You need to setup exploit to test it (set site’s URL and others data). If you want to test it immediately, here is online example.

I found this hole at xato.net and this site is about security. The author also talk at his site about captchas’ security, but in the same time he is using vulnerable captcha. I already told him about this vulnerability.

Insufficient Anti-automation:

xato.net CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.

Moral: never make such unreliable captchas.


2 відповідей на “MoBiC-03: Peter’s Custom Anti-Spam Image CAPTCHA bypass”

  1. Peter каже:

    I’m not sure which version you were working with because both problems mentioned were addressed in Version 2.9.0 on August 11, 2007.

    “antiselect” values are now unique and deleted once a successful comment has gone through.

    I do appreciate your testing, however, and will admit that the images are quite readable (on purpose). But structurally the holes that you pointed out were addressed already.

  2. MustLive каже:

    Peter

    I don’t know which version of plugin is affected, because I found this holes at the site xato.net. So it was unknown for me which version of plugin was at that site, when I wrote this post in my MoBiC project. Possibly it was version before 2.9.0.

Leave a Reply

You must be logged in to post a comment.