MoBiC-19: HBH-Fusion CAPTCHA bypass

22:52 19.11.2007

Next participant of the project is HBH-Fusion captcha. Which is using at registration page. This hole I found at It’s hackers site and it needs more reliable captcha.

This captcha is vulnerable for session reusing with constant captcha bypass method. This Insufficient Anti-automation hole I found 27.07.2007.

In session reusing with constant captcha bypass method for bypassing you need to use the same user_code value for every post (during current session). And after you’ll see first captcha image and set it in exploit, you need to not refresh page with captcha, so it will not be regenerating and you’ll be using the same code many times.

This hole is similar to MoBiC-18: PHP-Fusion CAPTCHA bypass, because HBH-Fusion is modification of PHP-Fusion. But in this case I made perl exploit. First I made html version of exploits, but when I retested the hole in October, I found that these guys added anti CSRF protection (which would not help them in this case). So in result I made perl version of exploit for bypassing captcha and anti CSRF protection.

Insufficient Anti-automation:

HBH-Fusion CAPTCHA bypass.txt

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such insecure captchas.

Leave a Reply

You must be logged in to post a comment.