Continue our talk about last participant of the project - Math Comment Spam Protection. It is captcha plugin for WordPress. Vulnerable version is Math Comment Spam Protection 2.1 (and previous versions).
This captcha in addition to Insufficient Anti-automation is also vulnerable for XSS (like Peter’s Random Anti-Spam Image captcha). These Cross-Site Scripting holes I found 22.11.2007.
There are two XSS holes and they are persistent XSS. Holes are at plugin options page (http://site/wp-admin/options-general.php? page=math-comment-spam-protection.php) in parameters mcsp_opt_msg_no_answer and mcsp_opt_msg_wrong_answer. For attacking you need to make CSRF + XSS attack (for both holes) - with CSRF you put XSS code into database (by admin). And then admin or any visitor of the site by posting comment with empty or incorrect captcha value, or you will trick him to do that, will be attacked.
1. Attack on mcsp_opt_msg_no_answer value.
2. Attack on mcsp_opt_msg_wrong_answer value.
These exploits for educational purposes only. Don’t use these holes and exploits for malicious purposes.
You need to setup exploits to test them (set site’s URL and others data).
Moral: always make more secure captchas and without XSS holes.