- Advisory ID: DRUPAL-SA-2007-006
- Project: Captcha (third-party module)
- Version: 4.7.x, 5.x
- Date: 2007-Jan-30
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Captcha bypass
Description
Captcha validation can be bypassed by manipulating request variables while posting or by providing certain (incorrect) responses. This defeats the purpose of the captcha and makes automated submission possible.
Versions affected
- All versions of Captcha 4.7.x prior to Captcha 4.7-1.2.
- All versions of Captcha 5.x prior to Captcha 5.x-1.1.
Drupal core is not affected. If you do not use the contributed Captcha module, there is nothing you need to do.
Solution
Install the latest version:
See also the Captcha project page.
Reported by
The Drupal security team.
William Smith independently discovered the bypass with "certain (incorrect) responses".
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.