MoBiC-29: WP-ContactForm CAPTCHA bypass

20:44 29.11.2007

Next participant of the project is WP-ContactForm (its new version with built-in captcha made by another author). It is plugin for WordPress. Vulnerable version is WP-ContactForm 2.0.7 (and previous versions).

I already wrote about vulnerabilities in WP-ContactForm, it was in original version of plugin. Recently I fully tested it and found many new holes. And I’ll post information about new holes in original WP-ContactForm plugin later. Also I fully tested new version of this plugin and found many holes. It’s very popular plugin (and version with captcha too). So there are many sites which are in risk with this plugin.

This is text logical captcha and it is vulnerable for сonstant value bypass method. This Insufficient Anti-automation hole I found 22.11.2007.

For bypassing captcha you need to use the same wpcf_response value for every post. Constant value bypass method is similar to MustLive CAPTCHA bypass method (the same value is sending many times).

Insufficient Anti-automation:

WP-ContactForm CAPTCHA bypass.html

This exploit for educational purposes only.

You need to setup exploit to test it (set site’s URL and others data). If you want to test it immediately, here is online example.

I found this hole at blogsecurity.net which is using WP-ContactForm plugin. It is security site, so they need more reliable protection. I already informed admin of the site about this issue.

Insufficient Anti-automation:

blogsecurity.net CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such insecure captchas.

P.S.

Also I prepared another vulnerabilities in WP-ContactForm. So wait for today’s bonus post ;-) .


Leave a Reply

You must be logged in to post a comment.