i need to bypass chapcha on this page, im not quiete sure how to do so.

unknown

You need to read above-mentioned description of the vulnerability and look at the source code of exploit which I provided.

is it still possible?

Yes, it is. That vulnerability concerns to old versions of Drupal (and its Captcha module). But as I mentioned before, recently I announced new vulnerability in reCAPTCHA for Drupal (which I found this year). Which concerns to new versions of Drupal (and its Captcha module).

So the CAPTCHA plugin hole (which was fixed months ago) is the real cause of the problem.

Ben

reCAPTCHA is a subplugin, so hole was in main plugin (in that case), but you have responsibility for this hole too. Because it’s your module and there must be no bypasses of the captcha (even due to holes in some other Drupal’s modules). Your plugin must be immune to such issues, up to making your own captcha module which will be “stand-alone” module, i.e. will not be requiring any other modules for work.

Full disclosure is a good practice. What is not a good practice is full disclosure before notifying the authors of the code in question and giving them a chance to fix it.

During 2006-2010 I used appropriate disclosure policies in every case and will be doing so in future. For MOSEB and MoBiC projects I used one disclosure policy, for other cases - other apropriate disclosure policies.

i need to bypass chapcha on this page, im not quiete sure how to do so.

is it still possible?

thank you
RRR

reCAPTCHA actually gives admins better tools than most CAPTCHAs to enforce security. As an example, reCAPTCHA takes care of duplicate solutions, preventing the site administrators from needing to worry about this.

Full disclosure is a good practice. What is not a good practice is full disclosure before notifying the authors of the code in question and giving them a chance to fix it. I really hope you’ll reconsider this for the future.

It’s good that you responded. As I wrote in my article after I found this hole at keng.ws, I also tested at some others sites which use reCaptcha and they were not vulnerable to this hole. So it’s some issue at this site (with plugin or with Drupal) and it’s possible that there are many sites with such hole.

At page on which you referred to said that problem not in Drupal itself (Drupal core is not affected), but in Captcha plugin. So it’s plugin issue, not engine, as developers said. And it’s another plugin, than reCaptcha. So in case if it’s the same issue, than the hole is in Captcha plugin and in reCaptcha plugin (for Drupal, and there is possibility that plugins for others CMS can have such hole too).

Man, I’m not just blogging like you said. It is a project - Month of Bugs in Captchas. And in this project, like in my previous project Month of Search Engines Bugs, I’m using full disclosure. So all information posted with details. But I’m trying to inform beforehand every participant of the project (owners of the sites with vulnerable captchas) about holes at their sites. From your side, you need to work that every plugin and every engine which use reCaptcha have no such Insufficient Anti-automation vulnerablities. And inform every site’s admin which has vulnerable reCaptcha setup about that.

I’m one of the engineers on reCAPTCHA. This issue appears to be drupal.org/node/114364. It is a security flaw in the drupal code rather than the reCAPTCHA plugin.

In the future, we’d appreciate disclosure of potential security issues via support@recaptcha.net rather than by blogging.