Websecurity - Веб безпека

Next participant of the project is mt-scode. It is captcha anti-spam plugin for Movable Type (with port for Drupal). This is popular plugin which is using at many sites. So there are many thousands of sites which are in risk with this plugin.

This captcha is vulnerable to MustLive CAPTCHA bypass method. This Insufficient Anti-automation hole I found 25.10.2007.

For bypassing you need to use the same code and scode values many times (for every post). This is classic MustLive CAPTCHA bypass method.

Insufficient Anti-automation:

mt-scode CAPTCHA bypass.html

This exploit for educational purposes only.

You need to setup exploit to test it (set site’s URL and others data). If you want to test it immediately, here is online example.

I found this hole at blogs.nature.com which is using mt-scode.

Insufficient Anti-automation:

blogs.nature.com CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.

Moral: never make such vulnerable captchas.

This entry was posted on 22:48 07.11.2007 and is filed under MoBiC. You can follow any responses to this entry through the RSS 2.0 feed.