MoBiC-25: Anti Spam Image CAPTCHA bypass

22:54 25.11.2007

Next participant of the project is Anti Spam Image. It is captcha plugin for WordPress. Vulnerable version is Anti Spam Image 0.5 (and previous versions).

This is popular captcha plugin. So there are many sites which are in risk with this plugin. It is captcha which I’m using at my site :-) (I like to find holes in captchas even in my own captcha). And I made new fixed version 0.6 of the plugin.

This captcha is vulnerable for session reusing with constant captcha bypass method (and hole occur at not last versions of PHP - before PHP 4.4.7). This Insufficient Anti-automation hole I found 21.10.2007.

In session reusing with constant captcha bypass method for bypassing you need to use the same securitycode value for every post (during current session). And after you’ll see first captcha image, you need to turn off images, so captcha will not be regenerating and you’ll be using the same code many times.

Insufficient Anti-automation:

Anti Spam Image CAPTCHA bypass.html

This exploit for educational purposes only. Don’t use it for malicious purposes.

You need to setup exploit to test it (set site’s URL and others data).

Moral: always check reliability of your captchas.

2 відповідей на “MoBiC-25: Anti Spam Image CAPTCHA bypass”

  1. Phastidio каже:

    I guess this is almost an offtopic, but what about stopping to use captchas as an antispam? Akismet performs tha same task very well, and it is not damaging accessibility for the visually impaired…

  2. MustLive каже:


    It’s partly offtopic, but partly it’s about captchas. Because you are talking about different ways to fight with spam. Akismet is one of real antispam methods.

    As I wrote in article Fight with comment spam, there are different ways to block spam in comments. Some of them effective, some not - and from different methods I can mark out the most reliable: authentication services, CAPTCHA (secure ones) and Akismet. These ones have their peculiarities, but they are more reliable then others methods.

    About Akismet. It has some issues:

    1. Requirement of API key. It’s better to make people’s life more easy without spending time on different keys.

    2. It’s not bullet-proof - Akismet can sometimes put legitimate comment to spam and it can let pass some spam (I saw such cases many times at my friend’s blog).

    3. It’s third-party service, so you depend on them (on stability and quality of service).

Leave a Reply

You must be logged in to post a comment.