MoBiC-12 Bonus: Peter’s Random Anti-Spam Image XSS
22:48 12.11.2007Continue our talk about last participant of the project - Peter’s Random Anti-Spam Image. It is captcha plugin for WordPress.
This is popular captcha plugin which is using at many sites. So there are many web sites which are in risk with it. Vulnerable version of plugin is Peter’s Random Anti-Spam Image 0.2.4 (and all previous).
This captcha is vulnerable for XSS. As I wrote in article MoBiC-05 Bonus: Google CAPTCHA bypass, there are vulnerabilities in captchas different from Insufficient Anti-automation (and I’ll write about some of them). This Cross-Site Scripting hole I found 03.11.2007.
XSS:
POST query in comment form in comment field:
</textarea><script>alert(document.cookie)</script>
Peter’s Random Anti-Spam Image XSS.html
This exploit for educational purposes only. Don’t use this hole and exploit for malicious purposes.
You need to setup exploit to test it (set site’s URL and others data).
Moral: try to make captchas without XSS holes.
Четвер, 23:31 06.12.2007
Is this a problem with the CAPTCHA or the WordPress comment form in general? Can you please explain how this cookie exploit interacts with the plugin?
Неділя, 23:34 09.08.2009
Peter, it’s a problem with your captcha plugin. Because hole is not appearing with general sending XSS code in comment field, but it’s appearing when your plugin is used at the site.
You need to use my exploit (which you need to setup - edit this html file to set site’s URL) and you’ll see how it works and where the hole appears.