MoBiC-18: PHP-Fusion CAPTCHA bypass

22:57 18.11.2007

Next participant of the project is PHP-Fusion captcha. Which is using at registration page.

Like Google said there are up to 1740000 sites in Internet on this engine. And including all those sites which use PHP-Fusion, but have no “Powered by PHP-Fusion” sign, there are potentially more millions of sites which are in risk with this insecure captcha (with “powered by PHP-Fusion” query there are up to 2340000 sites).

This captcha is vulnerable for session reusing with constant captcha bypass method. This Insufficient Anti-automation hole I found 20.10.2007.

In session reusing with constant captcha bypass method for bypassing you need to use the same user_code value for every post (during current session). And after you’ll see first captcha image and set it in exploit, you need to not refresh page with captcha, so it will not be regenerating and you’ll be using the same code many times.

Insufficient Anti-automation:

PHP-Fusion CAPTCHA bypass.html

This exploit for educational purposes only.

It’s html version, you can look at perl version of similar exploit. You need to setup exploit to test it (set site’s URL and others data). If you want to test it immediately, here is online example.

I found this hole at which is using PHP-Fusion.

Insufficient Anti-automation: CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such unreliable captchas.

Leave a Reply

You must be logged in to post a comment.