vulnerability found in drupal captcha implementation. ---------- Forwarded message ---------- From: systemcracker@gmail.com <systemcracker@gmail.com> Date: May 22, 2005 10:34 PM Subject: [WEB SECURITY] CAPTCHA vulnerabilities - multiple vendors To: webappsec <webappsec@securityfocus.com>, websecurity@webappsec.org Hi there. While developing a CAPTCHA script in PHP, I found a serious problem with my own script that also affects a *large* number of commercial and free CAPTCHA applications. Most CAPTCHAs don't destroy the session when the correct phrase is entered, this enables attackers to re-use a session-id for a known captcha string, thus allowing multiple form submittals. A list of all the scripts I could get my hands on, with details of whether they're vulnerable or not, is given below (taken from http://en.wikipedia.org/wiki/Captcha) Here's the lowdown: manual steps: connect to captcha page record session ID and captcha plaintext automated steps: send session ID and captcha plaintext a number of times, changing the user data, eg: POST /vuln_script.php HTTP/1.0 Cookie: PHPSESSID=329847239847238947; ^^^ this is the session id of the page you looked at manually Content-Length: 49 Connection: close; name=bob&email=bob@fish.com&captcha=the_plaintext ^^^ this includes the captcha string for the page you looked at manually the other user data can change on each request you can then automate hundreds, if not thousands of requests, until the session expires, at which point you just repeat the manual steps and then reconnect with a new session id and captcha text. This is -easy- to fix, here's the vulnerable pseudocode: if form_submitted and captcha_stored!="" and captcha_sent=captcha_stored then process_form(); endif: fixed psuedocode: if form_submitted and captcha_stored!="" and captcha_sent=captcha_stored then captcha_stored=""; process_form(); endif: - it's a one line fix! tested scripts: ------------------------------------------------- http://www.humanverify.com/genDemo.asp vulnerable (this product has 239 registered users) ------------------------------------------------- http://drupal.org/project/captcha - demo at http://arnab.drupaldevs.org/user/register vulnerable ------------------------------------------------- http://higginsforpresident.net/projects/tacs/demo/ vulnerable ------------------------------------------------- http://phpbtree.com/captcha/index.php vulnerable ------------------------------------------------- http://www.lanapsoft.com/products.html, demo at http://www.captchaservice.com/ vulnerable. ------------------------------------------------- http://www.codeproject.com/aspnet/CaptchaImage.asp vulnerable; haven't tested but looking at code, seems to be: if (this.CodeNumberTextBox.Text == this.Session["CaptchaImageText"].ToString()) { // Display an informational message. this.MessageLabel.CssClass = "info"; this.MessageLabel.Text = "Correct!"; } doesn't clear session so could reconnect and give same word. ------------------------------------------------- http://james.seng.cc/archives/000145.html possibly vulnerable; can't get the form to submit even normally! ------------------------------------------------- http://www.puremango.co.uk/cm_freecap_113.php (my own script) version 1.3 not vulnerable, version 1.2 and below vulnerable ------------------------------------------------- http://php.webmaster-kit.com/audit.html not vulnerable ------------------------------------------------- "only as secure as the weakest link in the chain" springs to mind. I also managed to automate requests to www.captcha.net<http://www.captcha.net>'s demos, but having examined the implementation of their system on google, I think it's only the -demo- that's vulnerable. (I assume google's system is the one from the CAPTCHA project; it looks very similar) If anyone wants me to look over their scripts, buzz me and I'll be more than willing to see if you're vulnerable, and give advice on how to fix. -- Computing tools, PHP code, online tools and more at http://www.puremango.co.uk --------------------------------------------------------------------- The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/