MoBiC-26 Bonus: XSS in Captcha!

22:48 26.11.2007

Continue our talk about last participant of the project - Captcha!. It is captcha plugin for WordPress. Vulnerable version is Captcha! 2.5d (and previous versions).

This captcha in addition to Cross-Site Request Forgery and Insufficient Anti-automation is also vulnerable for XSS (like Math Comment Spam Protection). These Cross-Site Scripting holes I found 10.11.2007.

There are four XSS holes and they are persistent XSS. Holes are at plugin options page (http://site/wp-admin/options-general.php? page=captcha\captcha.php) in parameters captcha_ttffolder, captcha_numchars, captcha_ttfrange, captcha_secret. For attacking you need to make POST request to plugin options script.


Captcha! XSS.html

Captcha! XSS2.html

Captcha! XSS3.html

Captcha! XSS4.html

These exploits for educational purposes only. Don’t use these holes and exploits for malicious purposes.

You need to setup exploits to test them (set site’s URL and others data).

Moral: always make more secure captchas and without XSS holes.

2 відповідей на “MoBiC-26 Bonus: XSS in Captcha!”

  1. Boriel каже:

    Hi! As said here: Captcha! is bit unmaintaned (I will fix this today, anyway). This hack won’t work for Firefox (at less on users, as javascript submits will display a warning message and an “Ok” button. But maybe in IE, they will do. :!:

  2. Boriel каже:

    Don’t know why, but Firefox Warning is no longer appearing. :? : so users better install NoScript! extension.

    Regarding your Captcha, it is very unsecure, since it allows OCR attack (chars are easily recognisable by a program).

Leave a Reply

You must be logged in to post a comment.