Juck see pictures you will see.
1. Remember
Sid: 9559
Captcha: Mb

2. Use firebug (firefox) edit sid to 9559
type Mb and it alway pass

(Sorry. My english is not good)

Files: 
CommentFileSizeAuthor
#40 captcha-session-reuse-810534-40.patch510 bytesMiroslavBanov
PASSED: [[SimpleTest]]: [MySQL] 731 pass(es).
[ View ]
#25 captcha_problem.JPG37.51 KBsolian
#17 810534_session_reuse_hack_05.patch32.78 KBsoxofaan
PASSED: [[SimpleTest]]: [MySQL] 546 pass(es).
[ View ]
#16 810534_session_reuse_hack_04.patch32.05 KBsoxofaan
PASSED: [[SimpleTest]]: [MySQL] 546 pass(es).
[ View ]
#15 810534_session_reuse_hack_03.patch6.3 KBsoxofaan
PASSED: [[SimpleTest]]: [MySQL] 409 pass(es).
[ View ]
#13 810534_session_reuse_hack_02.patch6.29 KBsoxofaan
FAILED: [[SimpleTest]]: [MySQL] 409 pass(es), 0 fail(s), and 15 exception(es).
[ View ]
#12 CAPTCHA session reuse hack workaround.jpg90.75 KBsoxofaan
#6 810534_session_reuse_hack_01.patch4.35 KBsoxofaan
FAILED: [[SimpleTest]]: [MySQL] 261 pass(es), 1 fail(s), and 0 exception(es).
[ View ]
#1 1.jpg51.74 KB72ls.net
#1 2.jpg55.67 KB72ls.net

Comments

72ls.net’s picture

StatusFileSize
new55.67 KB
new51.74 KB

Add image

soxofaan’s picture

Version:6.x-2.2» 6.x-2.x-dev
Component:Image Captcha (image_captcha)» Captcha API (captcha)

Confirmed,

It's even worse: you don't have to fill in a CAPTCHA answer, just changing the session ID is enough to pass

This is pretty serious and unfortunately I don't have the time to look deeper into this today.

72ls.net’s picture

This is my temp solution. Hack code

File: captcha.module
Function: function captcha_validate($element, &$form_state)
Line: 515

<?php
    
if ($captcha_validate($solution, $captcha_response, $element, $form_state)) {
     
// Correct answer.
     
$_SESSION['captcha_success_form_ids'][$form_id] = $form_id;
     
// Record success.
     
db_query("UPDATE {captcha_sessions} SET status=%d, attempts=attempts+1 WHERE csid=%d", CAPTCHA_STATUS_SOLVED, $csid);
     
$sql = "DELETE FROM captcha_sessions WHERE csid=%d"; /* hack code */
     
db_query($sql,$csid);                                /* hack code */
   
}
    else {
?>

If it's good, pls let me know :)

soxofaan’s picture

Status:Active» Needs work

The hack in #3 will cause problems on forms with previews and other multipage forms I'm afraid

72ls.net’s picture

thanks
my site was disable previews mode and have no multipage form, but I'm still waiting for your upgrade, thanks again

soxofaan’s picture

Status:Needs work» Needs review
StatusFileSize
new4.35 KB
FAILED: [[SimpleTest]]: [MySQL] 261 pass(es), 1 fail(s), and 0 exception(es).
[ View ]

Here is a first shot at it.
This patch should fix it for forms like comment. It doesn't work for node-add forms with preview however (testbot should see this)

Note: this patch adds a column to the captcha_sessions table, so be sure to run update.php after patching (or do a fresh install)

Status:Needs review» Needs work

The last submitted patch, 810534_session_reuse_hack_01.patch, failed testing.

FiNeX’s picture

subscribing

soxofaan’s picture

FYI:

I just made a patch for #773124: CAPTCHA dissapears after correct anwer, even with persistance "Always add challange". This is a feature request for a true "always add a challenge" persistence. When you use this persistence level, the CAPTCHA session reuse hack should not work.
This could be used as a temporarily workaround for the problem.

rob_roy’s picture

Version:6.x-2.x-dev» 6.x-2.2

The same 'hacks' are possible using the basic 'math' captcha !

I have a site using Webform with Captcha enabled where multiple automated submissions of complete nonsense text have been submitted over a couple of days on an infrequent time scale ie the Captcha module appears to have been bypassed.

Could this 'hack' result in multiple automated submissions ? Confirmation or otherwise appreciated before I look for other possibilities as cause.

I have installed the patch #773124 as suggested and run update.php but the 'hack' is still possible.

Thank you in advance

FiNeX’s picture

I confirm that in the last days spambots are doing a good job filling out contact forms :-(

soxofaan’s picture

Version:6.x-2.2» 6.x-2.x-dev
StatusFileSize
new90.75 KB

about #9:
Just committed fix for #773124: CAPTCHA dissapears after correct anwer, even with persistance "Always add challange", so it should be available in 6.x-2.x-dev snaphot when it becomes available (within 12 hours at most).

Re #10: the workaround is to install the patch install a 6.x-2.x-dev from June 12, 2010 or later AND enable the "always add a challenge" persistence option. See attachment for visuals.
On my setup it breaks the hack (session can not be reused).

soxofaan’s picture

Title:Hack captcha in 2 step» Hack CAPTCHA in 2 step (CAPTCHA session reuse)
Status:Needs work» Needs review
StatusFileSize
new6.29 KB
FAILED: [[SimpleTest]]: [MySQL] 409 pass(es), 0 fail(s), and 15 exception(es).
[ View ]

This patch should pass testing

Status:Needs review» Needs work

The last submitted patch, 810534_session_reuse_hack_02.patch, failed testing.

soxofaan’s picture

Status:Needs work» Needs review
StatusFileSize
new6.3 KB
PASSED: [[SimpleTest]]: [MySQL] 409 pass(es).
[ View ]

this patch should pass testing
really :)

soxofaan’s picture

StatusFileSize
new32.05 KB
PASSED: [[SimpleTest]]: [MySQL] 546 pass(es).
[ View ]

further tweaking of fix: added simpletest coverage of the problem and its solution
(also a bit of simpletest refactoring for better code reuse)

soxofaan’s picture

Issue tags:+Needs manual testing
StatusFileSize
new32.78 KB
PASSED: [[SimpleTest]]: [MySQL] 546 pass(es).
[ View ]

(Further tweaking of the fix.)

To all people in this thread: please test this patch (make sure you run update.php, because there is a database update).

This is a pretty major change in the module and I wont commit this without some more serious testing.

I tested it myself, mostly through implementing simpletest coverage test cases (with comment form, node form and user login form), but I'd like more real user tests from you guys and gals.

So if you want this fix in a official release as soon as possible: please give it a try and report your experiences.

rob_roy’s picture

Bit of a noob to the patch process so please forgive this simple question !

MAC OS x 10.4.11 captcha 6x_2.2

uploaded patch to captcha directory and logged into directory via ssh and ran command patch < 810534_session_reuse_hack_05.patch

However log returned

idesigner.co.uk@n10:~/domains/dev.idesigner.co.uk/html/pragmedic/modules/captcha$ patch < 810534_session_reuse_hack_05.patch
patching file captcha.install
Hunk #2 succeeded at 274 (offset -21 lines).
patching file captcha.module
Hunk #1 succeeded at 182 (offset 10 lines).
Hunk #2 succeeded at 214 (offset 10 lines).
Hunk #3 succeeded at 437 with fuzz 1 (offset 10 lines).
Hunk #4 succeeded at 462 with fuzz 1 (offset 10 lines).
Hunk #5 succeeded at 483 with fuzz 2 (offset 9 lines).
Hunk #6 FAILED at 512.
1 out of 6 hunks FAILED -- saving rejects to file captcha.module.rej
patching file captcha.test
Hunk #1 succeeded at 14 with fuzz 2 (offset -1 lines).
Hunk #2 succeeded at 157 (offset -1 lines).
Hunk #3 succeeded at 167 (offset -1 lines).
Hunk #4 succeeded at 210 (offset -1 lines).
Hunk #5 succeeded at 218 (offset -1 lines).
Hunk #6 succeeded at 278 (offset -1 lines).
Hunk #7 succeeded at 306 (offset -1 lines).
Hunk #8 succeeded at 322 (offset -1 lines).
Hunk #9 succeeded at 499 (offset -1 lines).
Hunk #10 succeeded at 507 (offset -1 lines).
Hunk #11 FAILED at 539.
Hunk #12 FAILED at 549.
Hunk #13 FAILED at 568.
Hunk #14 FAILED at 593.
Hunk #15 FAILED at 604.
Hunk #16 FAILED at 624.
Hunk #17 FAILED at 635.
Hunk #18 FAILED at 659.
Hunk #19 FAILED at 670.
Hunk #20 FAILED at 693.
Hunk #21 FAILED at 704.
11 out of 21 hunks FAILED -- saving rejects to file captcha.test.rej

Due to failures show, restored original captcha module without update.php

Have I applied patch correctly ?

rob_roy’s picture

Agh ! Is this the cause of the failures ?

Should I have applied the patches in sequence ( I jumped to 05 ) ie installed 01, 02, 03, 04, 05 and run update.php after each version

Appreciate your input

Many thanks

soxofaan’s picture

At rob_roy in #18:
thanks for taking the time to test this!

About your problem: you should always apply a patch to the latest CVS-version of the CAPTCHA module, not 6.x-2.2, that's why you got the "Hunk failed" messages.
In practice in this case, you can also use the latest nighly snapshot tar ball at http://drupal.org/node/94922

about #19: don't apply the successive version of the patches, only apply the last version in this thread (#17 at the time of this writing). In drupal development, a patch in an issue thread almost always overrules previous versions. For example, if there would be an updated patch in this thread, you should revert (undo) the previous patch before applying the new patch (the easy way here is just to overwrite everything with the original contents of the tar ball)

hope this helps
and good luck

rob_roy’s picture

Thank you saxofaan for the heads up on #18 + #19 - as advised worked out

Have followed your advice and run patch on Captcha 6.x-2.x-dev on a dev site using Drupal 6.16 core using modules - Webform 6.x-2.8 with Math Captcha on bespoke forms

All previous hacks as outlined in the above posts no longer work with an error message returned about 'reuse etc'

If you need more info or further testing drop me a line - would be keen to roll out on production site

many thanks

soxofaan’s picture

Version:6.x-2.x-dev» 7.x-1.x-dev
Status:Needs review» Patch (to be ported)

Ok, I guess I won't get more reviews for this patch through this thread.
The only solution is then to commit it and hope it does not break too much stuff:
http://drupal.org/cvs?commit=387414

maybe I should make a 6.x-2.3-beta release from it to get more testing.

to be ported to the Drupal 7 version too

soxofaan’s picture

cross referencing: patch at #17 contains bug #844148: Warning: Call-time pass-by-reference has been deprecated in /captcha.install on line 306, already fixed and committed for D6, but should be taken into account when porting to D7.

72ls.net’s picture

Thank you for the update: CAPTCHA 6.x-2.3-rc2
It's perfect: CAPTCHA session reuse attack detected.
(^ ^)

solian’s picture

Version:7.x-1.x-dev» 6.x-2.3-rc1
Priority:Critical» Major
Status:Patch (to be ported)» Needs work
StatusFileSize
new37.51 KB

Sorry incorrect Place,
moved to http://drupal.org/node/918856

soxofaan’s picture

at solian in #25: please start a new issue

crimsondryad’s picture

Version:6.x-2.3-rc1» 7.x-1.x-dev
Priority:Major» Critical
Status:Needs work» Patch (to be ported)

Soxofan,
I see the RC2 in my available updates, but the rc2 isn't showing up as "Other Releases" on Drupal.org. Not sure if this is a problem with the reskin, or with how it was posted.

Many thanks on this module...it has really helped us.
~Crim

crimsondryad’s picture

Saxofaan,
Can you push the 6.3 RC2 out as a release please? This issue has been outstanding for a long time. We will install the update and help test. If there were major issues, it seems like we would've heard by now?

Thanks!

soxofaan’s picture

Yup, the 6.x-2.3 release was long overdue. Here it is:
http://drupal.org/node/967244

I was planning to tackle #825088: Exportables support for CAPTCHA points before 6.x-2.3 too, but I couldn't allocate time to work on it yet, which explains the delay for the 6.x-2.3 release. Decided it shouldn't block 6.x-2.3 release anymore.

crimsondryad’s picture

Thanks bunches...we will try it out and let you know if we come across any bugs. :)

crimsondryad’s picture

Ok, I installed RC2 on my staging environment this morning and got this error:
PHP Fatal error: Cannot redeclare captcha_requirements() (previously declared in /var/www/domain/webroot/sites/all/modules/captcha/captcha.module:113) in /var/www/domain/webroot/sites/all/modules/captcha/captcha.install on line 130

soxofaan’s picture

at crimsondryad in #32: are you sure you completely replaced the CAPTCHA module with a new version? I checked the tarbal for CAPTCHA 6.x-2.3 and only the file "captcha.install" contains that function captcha_requirements(), it's not in "captcha.module" anymore (it was in previous versions, see #800846: captcha_requirements() defined in .module instead of .install).

crimsondryad’s picture

No, I'm not positive. :P It seems to be working ok other than the initial error on install though, so when we do this on prod tomorrow I'll try again completely removing it and see what happens. By "completely remove" I assume you're talking about the module files and not running an "uninstall" from the db and all. Because that would really suck considering the number of forms we have.

Sorry, that was a duh! moment...I do remember seeing the node about completely uninstalling. I just can't remember if that's what I actually did. dain bramage, FTW.

Thanks for the help, seriously. :)

soxofaan’s picture

Category:bug» task
Priority:Critical» Normal
Status:Patch (to be ported)» Needs work
Issue tags:-Needs manual testing
soxofaan’s picture

Status:Needs work» Fixed

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

MiroslavBanov’s picture

Category:Task» Bug report
Issue summary:View changes
Status:Closed (fixed)» Needs work

Wile I was working on #2449209: CAPTCHA API to support (cacheble) reCAPTCHA with ajax API, I noticed that you can still bypass CAPTCHA easily, but you need to pass csid and token for a solved captcha.

MiroslavBanov’s picture

Status:Needs work» Needs review
StatusFileSize
new510 bytes
PASSED: [[SimpleTest]]: [MySQL] 731 pass(es).
[ View ]

The error is very simple but hard to spot.

  • wundo committed 3cdac6c on 7.x-1.x authored by MiroslavBanov
    Issue #810534 by soxofaan, MiroslavBanov, 72ls.net, crimsondryad: Fix...
wundo’s picture

Title:Hack CAPTCHA in 2 step (CAPTCHA session reuse)» Fix CAPTCHA session reuse
Status:Needs review» Fixed

Status:Fixed» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.