- Advisory ID: DRUPAL-SA-2007-006
- Project: Captcha (third-party module)
- Version: 4.7.x, 5.x
- Date: 2007-Jan-30
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Captcha bypass
Captcha validation can be bypassed by manipulating request variables while posting or by providing certain (incorrect) responses. This defeats the purpose of the captcha and makes automated submission possible.
- All versions of Captcha 4.7.x prior to Captcha 4.7-1.2.
- All versions of Captcha 5.x prior to Captcha 5.x-1.1.
Drupal core is not affected. If you do not use the contributed Captcha module, there is nothing you need to do.
Install the latest version:
See also the Captcha project page.
The Drupal security team.
William Smith independently discovered the bypass with "certain (incorrect) responses".
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.