MoBiC-23: Math Comment Spam Protection CAPTCHA bypass
20:43 23.11.2007Next participant of the project is Math Comment Spam Protection. It is captcha plugin for WordPress. Vulnerable version is Math Comment Spam Protection 2.1 (and previous versions).
Statistics at wordpress.org said that this plugin was downloaded 1776 times. And taking into account that this plugin also can be downloaded from others sources, so total amount of downloads and sites which use this plugin is much more. So there are many thousands of sites which are in risk with this plugin.
This is text logical captcha and it is vulnerable for MustLive CAPTCHA bypass method. This Insufficient Anti-automation hole I found 21.10.2007 (at tehposse.org and yesterday I tested the plugin itself).
For bypassing captcha you need to use the same mcspvalue and mcspinfo values many times (for every post). This is classic MustLive CAPTCHA bypass method, which easily bypass text logical captchas.
Insufficient Anti-automation:
Math Comment Spam Protection CAPTCHA bypass.html
This exploit for educational purposes only.
You need to setup exploit to test it (set site’s URL and others data). If you want to test it immediately, here is online example.
I found this hole at tehposse.org which is using Math Comment Spam Protection plugin (admin only changed form’s fields names from mcspvalue and mcspinfo to mscpvalue and mscpinfo).
Insufficient Anti-automation:
tehposse.org CAPTCHA bypass.html
Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.
Moral: never make such unreliable captchas.
P.S.
Also I prepared another vulnerabilities in Math Comment Spam Protection. So wait for today’s bonus post .