Captcha sessions still being reused

I see, you use reCAPTCHA as challenge.
can you try the built in image CAPTCHA instead and see if this problem still occurs?

Yes the problem still occurs. I still get spam registrations on my site. I also have been able to exploit the bug on my own site for testing purposes.

Hacking into a site is very easy. Look at this HTML code generated by the image CAPTCHA

<div class="captcha"><input type="hidden" name="captcha_sid" id="edit-captcha-sid" value="21072"  />
<input type="hidden" name="captcha_token" id="edit-captcha-token" value="5c658f774362a6636cac7f95070f7709"  />

To exploit the bug you just need to
(1) Open a page where a CAPTCHA appears
(2) Note the captcha_sid value, in this case 21072.
(3) Note the token, in this case 5c658f774362a6636cac7f95070f7709
(4) Note the actual captcha correct response for this particular case (the letters that appeared on the image), it was eXQdQ in this case.

You are now ready to hack that site without having to know a correct response anymore. So this can be automated without any further human intervention.

To hack the site manually you can use the Firebug tool in Firefox or the Web Inspector tool in Safari.

(a) Open the page with the CAPTCHA you want to hack
(b) With Firefox or Safari use the mentioned tool and edit the captcha_sid and token values and enter the values you found in (2) and (3)
(c) In the CAPTCHA field enter the value you noted in (4)
(d) Hit the button on the page to enter. The CAPTCHA will pass successfully.

This is FRIGHTENING EASY. I wonder whether I have some setting in my site that allows me to hack in it that way or whether this is a common problem that needs fixing.

I will appreciate others trying this on their own sites to understand how broadly spread this issue is.

Thanks,

This is strange, there are actually a unit tests covering this scenario:
http://drupalcode.org/viewvc/drupal/contributions/modules/captcha/captch...

These are test on comment form, node form and login form. But you tried it on the register form. Maybe this might be relevant. Can you try the same hack on another form (e.g. comment form or node form)?

Soxofaan, thank you for your quick post. I require registration for posting comments and captchas do not appear for logged in users. So I allowed anonymous to post comments just to try the captcha on the comment form. I could not hack in this time. So I checked again the registration form and found that only sometimes this hack works. I will try to isolate or figure out what I exactly do or in what circumstances I can hack in. I do not know why the hack worked last time I tried as per my last post. I am not an expert in Drupal, I just use it for my site, so maybe this question is silly: could it be an issue with caching, so it sometimes works and sometimes not?, I do not seem to find a particular pattern.

Thanks

I keep receiving spam registrations, about three a day. Just a few minutes ago one came in. There is obviously something wrong either in the captcha module or my site. I can sometimes break in as described in my earlier post, sometimes not. Once the hack procedure fails, I need to pick another set of captcha_sid and token in order to break in again. This is why I believe that something is being cached somewhere or somehow. This issue does not cause anything bad in my site because registrations are never confirmed though I am becoming tired of it. I will post any small thing I find, but I will appreciate any suggestion about where to look at. Thanks

Hi carbonat,

I just tried your scenario of #3, but at the moment, I could not reproduce CAPCHA session reuse issue you reported.

Maybe, the source of the confusion might be the following.

First, the point is that you can use/consume a captha token only once: you can only make one post with a given captcha_token (actually it's the pair (captcha_token, captcha_sid), but that's not the point here). A second post with the same captcha token will block further submission of the form and will raise the "CAPTCHA session reuse attack detected" error.

The following scenario (which might be what you are doing) might look like a backdoor (but it isn't):
You go to the register page and get a form with captcha token "A", captcha session id "B" and solution "C". With help of an inspection tool like firebug you make a note of these values.
Then, without submitting this form you reload the page, getting a new form, with new values: captcha token D, session id E and solution F.
Note that at this point the original CAPTCHA with values A,B,C is not "consumed" yet. So when you overwrite the D,E,F values with the previous values A,B,C and submit this form, the captcha module sees this (server side) as the first form being posted (it doesn't know you discarded it) and accepts it. But after that it invalidates the values A,B,C so they can't be reused anymore.
If you would reload the page another time, getting a form with values G,H,I and you try again to replace these with A,B,C before submitting, this will fail because A,B,C is invalidated and you get the CAPTCHA sessions reuse attack error message.
However, you still have D,E,F, which is not consumed yet, so posting would work with these values.
While this may look like session/token reuse (because you are copy pasting-client side), it is not server side: a captcha token will be invalidated after being used once.

Another note I'd like to make: it's not because you are getting spam, that it is from spambots. It has been reported before that there are companies that hire humans to solve CAPTCHAs. This means that even though the CAPTCHA module could be working perfectly on your site, you are not protected against spam from humans. I'm not saying this is the case with your site, there could indeed be a bug, but it's a possibility to consider.

I hope this clears some things up?

Soxofan, Than you very much for your comprehensive reply. This may indeed be why I am able to *apparently* break in. I will try again and will bring attention on whether I actually submit the form or not, so thanks for pointing this out.

I also read somewhere (long time ago) that some spam companies may be using humans to solve captchas. Actually, I always assumed that this must be the case with my site, so this is why I happily leaved captcha without updating for a long time. Only last week I learnt of the existence of the reuse exploit issue, so I tried it on my site with success. That was with a version of captcha that did not have the token field, I believe it was catcha 2.2, but anyway it was one that it had not a fix for the exploit issue.

So then I decided to upgrade to the most recent version, 2.4, I did it on 12 february. Before that I consistently received 2 to 4 spam registrations a day. However on 13 and 14 February the attempts where blocked by captcha. I was happy because I thought captcha 2.4 had solved the problem, but then on 15 February I received two new spam registrations, two more on 16, and two more so far today (17). My first post on this thread was on 16 February.

I wonder why just after upgrading to captcha 2.4 I got two days free of successful spam registrations, which were blocked by the captcha module.

I believe that if such attacks where driven by humans no matter what captcha version I had installed, they would break in anyway, no?, so why I got two days with the captcha module effectively blocking them, and after that all attempts broke in again easily. Note that it is not that I have a lot of attempts with only a few breaking the captcha, I actually just have 2 spam registration attempts a day, but all of them pass the captcha filter, (except on 13 and 14 February). Doesn't this sound strange?

Thanks again for all your help,

Soxofan,

You were right on the condition that *apparently* made me break into the system. Actually what I apparently did after picking the A,B,C values was to go to another page, and then return to the registration page to apply the hack. So actually I had not submited A,B,C previously. So thanks again for having pointing this out that I was not able to figure out by myself.

Please look at my previous post just above, I want to add something more to it. The registration attempts that captcha blocked on 13 and 14 February, state the following

user_register post blocked by CAPTCHA module: challenge "Image" (by module "image_captcha"), user answered "", but the solution was "35LPa".

So an empty string (or nothing ) was entered in the captcha field. Isn't this suspicious of being a spambot trying to exploit a bug?

Just another came in. This is getting old.