fucking *two days*? Is that even enough time for the vendor to acknowledge? On Feb 17, 2011 9:20 AM, "MustLive" <[email protected]> wrote: > Hello list! > > I want to warn you about Insufficient Anti-automation vulnerability in > reCAPTCHA for Drupal. > > In project MoBiC in 2007 I already wrote about bypassing of reCaptcha for > Drupal (http://websecurity.com.ua/1505/). This is new method of bypassing > reCaptcha for Drupal. > > ------------------------- > Affected products: > ------------------------- > > Vulnerable are all versions of reCAPTCHA plugin for Captcha module versions > before 6.x-2.3 and 7.x-1.0. > > ---------- > Details: > ---------- > > Insufficient Anti-automation (WASC-21): > > In different forms in Drupal the vulnerable captcha-plugin reCAPTCHA is > using. Drupal's Captcha module is vulnerable itself, so besides reCAPTCHA > other captcha-plugins also can be vulnerable (at that this exploit is a > little different from exploit for default Captcha module for Drupal). > > For bypassing of captcha it's needed to use correct value of captcha_sid, at > that it's possible to not answer at captcha (captcha_response) or set any > answer. This method of captcha bypass is described in my project Month of > Bugs in Captchas (http://websecurity.com.ua/1498/). Attack is possible while > this captcha_sid value is active. > > Vulnerabilities exist on pages with forms: http://site/contact, > http://site/user/1/contact, http://site/user/password and > http://site/user/register. Other forms where reCAPTCHA is using also will be > vulnerable. > > Exploit: > > http://websecurity.com.ua/uploads/2011/Drupal%20reCAPTCHA%20bypass.html > > ------------ > Timeline: > ------------ > > 2010.12.11 - announced at my site. > 2010.12.14 - informed reCAPTCHA developers. > 2010.12.14 - informed Google (reCAPTCHA owner). > 2011.02.16 - disclosed at my site. > > I mentioned about this vulnerability at my site > (http://websecurity.com.ua/4752/). > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
