MoBiC-26: Captcha! CAPTCHA bypass
20:25 26.11.2007Next participant of the project is Captcha!. It is captcha plugin for WordPress. Vulnerable version is Captcha! 2.5d (and previous versions).
This is very popular captcha plugin. It’s one of recommended captcha plugins at codex.wordpress.org. So there are many thousands of sites which are in risk with this plugin.
This captcha is vulnerable for CSRF and for Null string bypass method. These Cross-Site Request Forgery and Insufficient Anti-automation holes I found 10.11.2007.
Null string bypass method - it is very tricky method. First you make CSRF attack and after that you will be able to easily bypass captcha. This captcha use one-time images, so you need to use this tricky method to bypass it. Using CSRF you set captcha_numchars option to 0. And after that you’ll send messages with empty public_key and private_key values (null strings) or without these parameters at all (similar to MoBiC-10 Bonus: another PHP-Nuke CAPTCHA bypass). And so you’ll bypass captcha and also everyone who will send messages after you. It’s social spam style - one hack captcha, all spam.
CSRF + Insufficient Anti-automation:
Captcha! CSRF.html
Captcha! CAPTCHA bypass.html
This exploit for educational purposes only.
You need to setup exploit to test it (set site’s URL and others data).
Moral: never make such insecure captchas.
P.S.
Also I prepared another vulnerabilities in Captcha!. So wait for today’s bonus post .