MoBiC-28 Bonus: XSS in Cryptographp

22:54 28.11.2007

In this post of Month of Bugs in Captchas we continue our talk about one of previous participants of the project - Cryptographp. It is captcha plugin for WordPress. Vulnerable version is Cryptographp 1.2 (and previous versions).

This captcha in addition to Insufficient Anti-automation is also vulnerable for XSS (like Math Comment Spam Protection). These Cross-Site Scripting holes I found 22.11.2007.

There are 24 XSS holes and they are persistent XSS. Holes are at plugin options page (http://site/wp-admin/options-general.php? page=cryptographp/admin.php) in parameters cryptwidth, cryptheight, bgimg, charR, charG, charB, charclear, tfont, charel, charelc, charelv, charnbmin, charnbmax, charspace, charsizemin, charsizemax, charanglemax, noisepxmin, noisepxmax, noiselinemin, noiselinemax, nbcirclemin, nbcirclemax, brushsize. For attacking you need to make POST request to plugin options script.

XSS:

Cryptographp XSS.html

Cryptographp XSS2.html

Cryptographp XSS3.html

Cryptographp XSS4.html

Cryptographp XSS5.html

Cryptographp XSS6.html

Cryptographp XSS7.html

Cryptographp XSS8.html

Cryptographp XSS9.html

Cryptographp XSS10.html

Cryptographp XSS11.html

Cryptographp XSS12.html

Cryptographp XSS13.html

Cryptographp XSS14.html

Cryptographp XSS15.html

Cryptographp XSS16.html

Cryptographp XSS17.html

Cryptographp XSS18.html

Cryptographp XSS19.html

Cryptographp XSS20.html

Cryptographp XSS21.html

Cryptographp XSS22.html

Cryptographp XSS23.html

Cryptographp XSS24.html

These exploits for educational purposes only. Don’t use these holes and exploits for malicious purposes.

You need to setup exploits to test them (set site’s URL and others data).

Moral: always make more secure captchas and without XSS holes.


Leave a Reply

You must be logged in to post a comment.