[drupal-devel] Fwd: [WEB SECURITY] CAPTCHA vulnerabilities - multiple vendors

Mark Quinn cheeky.mini at gmail.com
Mon May 23 09:17:24 UTC 2005


vulnerability found in drupal captcha implementation.

---------- Forwarded message ----------
From: systemcracker at gmail.com <systemcracker at gmail.com>
Date: May 22, 2005 10:34 PM
Subject: [WEB SECURITY] CAPTCHA vulnerabilities - multiple vendors
To: webappsec <webappsec at securityfocus.com>, websecurity at webappsec.org

Hi there.

While developing a CAPTCHA script in PHP, I found a serious problem
with my own script that also affects a *large* number of commercial
and free CAPTCHA applications.

Most CAPTCHAs don't destroy the session when the correct phrase is
entered, this enables attackers to re-use a session-id for a known
captcha string, thus allowing multiple form submittals. A list of all
the scripts I could get my hands on, with details of whether they're
vulnerable or not, is given below (taken from
http://en.wikipedia.org/wiki/Captcha)

Here's the lowdown:

manual steps:
connect to captcha page
record session ID and captcha plaintext

automated steps:
send session ID and captcha plaintext a number of times, changing the
user data, eg:
POST /vuln_script.php HTTP/1.0
Cookie: PHPSESSID=329847239847238947;
^^^ this is the session id of the page you looked at manually
Content-Length: 49
Connection: close;

name=bob&email=bob at fish.com&captcha=the_plaintext
^^^ this includes the captcha string for the page you looked at manually
the other user data can change on each request

you can then automate hundreds, if not thousands of requests, until
the session expires, at which point you just repeat the manual steps
and then reconnect with a new session id and captcha text.

This is -easy- to fix, here's the vulnerable pseudocode:

if form_submitted and captcha_stored!="" and captcha_sent=captcha_stored 
then
process_form();
endif:

fixed psuedocode:

if form_submitted and captcha_stored!="" and captcha_sent=captcha_stored 
then
captcha_stored="";
process_form();
endif:

- it's a one line fix!

tested scripts:
-------------------------------------------------
http://www.humanverify.com/genDemo.asp
vulnerable (this product has 239 registered users)
-------------------------------------------------
http://drupal.org/project/captcha - demo at
http://arnab.drupaldevs.org/user/register
vulnerable
-------------------------------------------------
http://higginsforpresident.net/projects/tacs/demo/
vulnerable
-------------------------------------------------
http://phpbtree.com/captcha/index.php
vulnerable
-------------------------------------------------
http://www.lanapsoft.com/products.html, demo at
http://www.captchaservice.com/
vulnerable.
-------------------------------------------------
http://www.codeproject.com/aspnet/CaptchaImage.asp
vulnerable; haven't tested but looking at code, seems to be:
if (this.CodeNumberTextBox.Text ==
this.Session["CaptchaImageText"].ToString())
{
// Display an informational message.
this.MessageLabel.CssClass = "info";
this.MessageLabel.Text = "Correct!";
}
doesn't clear session so could reconnect and give same word.
-------------------------------------------------
http://james.seng.cc/archives/000145.html
possibly vulnerable; can't get the form to submit even normally!
-------------------------------------------------
http://www.puremango.co.uk/cm_freecap_113.php (my own script)
version 1.3 not vulnerable, version 1.2 and below vulnerable
-------------------------------------------------
http://php.webmaster-kit.com/audit.html
not vulnerable
-------------------------------------------------

"only as secure as the weakest link in the chain" springs to mind.

I also managed to automate requests to
www.captcha.net<http://www.captcha.net>'s
demos, but
having examined the implementation of their system on google, I think
it's only the -demo- that's vulnerable. (I assume google's system is
the one from the CAPTCHA project; it looks very similar)

If anyone wants me to look over their scripts, buzz me and I'll be
more than willing to see if you're vulnerable, and give advice on how
to fix.

--
Computing tools, PHP code, online tools and more at 
http://www.puremango.co.uk

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://drupal3.drupal.org/pipermail/development/attachments/20050523/7afd4495/attachment.htm


More information about the drupal-devel mailing list