MoBiC-26 Bonus: XSS in Captcha!
22:48 26.11.2007Continue our talk about last participant of the project - Captcha!. It is captcha plugin for WordPress. Vulnerable version is Captcha! 2.5d (and previous versions).
This captcha in addition to Cross-Site Request Forgery and Insufficient Anti-automation is also vulnerable for XSS (like Math Comment Spam Protection). These Cross-Site Scripting holes I found 10.11.2007.
There are four XSS holes and they are persistent XSS. Holes are at plugin options page (http://site/wp-admin/options-general.php? page=captcha\captcha.php) in parameters captcha_ttffolder, captcha_numchars, captcha_ttfrange, captcha_secret. For attacking you need to make POST request to plugin options script.
XSS:
These exploits for educational purposes only. Don’t use these holes and exploits for malicious purposes.
You need to setup exploits to test them (set site’s URL and others data).
Moral: always make more secure captchas and without XSS holes.
Субота, 23:54 22.12.2007
Hi! As said here: http://www.boriel.com/2006/05/27/bye-bye-captcha/ Captcha! is bit unmaintaned (I will fix this today, anyway). This hack won’t work for Firefox (at less on 2.0.0.11) users, as javascript submits will display a warning message and an “Ok” button. But maybe in IE, they will do.
Неділя, 00:21 23.12.2007
Don’t know why, but Firefox Warning is no longer appearing.
: so users better install NoScript! extension.
Regarding your Captcha, it is very unsecure, since it allows OCR attack (chars are easily recognisable by a program).