MoBiC-25: Anti Spam Image CAPTCHA bypass
22:54 25.11.2007Next participant of the project is Anti Spam Image. It is captcha plugin for WordPress. Vulnerable version is Anti Spam Image 0.5 (and previous versions).
This is popular captcha plugin. So there are many sites which are in risk with this plugin. It is captcha which I’m using at my site (I like to find holes in captchas even in my own captcha). And I made new fixed version 0.6 of the plugin.
This captcha is vulnerable for session reusing with constant captcha bypass method (and hole occur at not last versions of PHP - before PHP 4.4.7). This Insufficient Anti-automation hole I found 21.10.2007.
In session reusing with constant captcha bypass method for bypassing you need to use the same securitycode value for every post (during current session). And after you’ll see first captcha image, you need to turn off images, so captcha will not be regenerating and you’ll be using the same code many times.
Insufficient Anti-automation:
Anti Spam Image CAPTCHA bypass.html
This exploit for educational purposes only. Don’t use it for malicious purposes.
You need to setup exploit to test it (set site’s URL and others data).
Moral: always check reliability of your captchas.