Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Vulnerabilities in CaptchaSecurityImages
From: "MustLive" <mustlive () websecurity com ua>
Date: Mon, 22 Mar 2010 21:53:20 +0200

Hello Full-Disclosure!

I want to warn you about security vulnerabilities in CaptchaSecurityImages.
It's captcha script which is using at many web sites and engines.

Advisory: Vulnerabilities in CaptchaSecurityImages
URL: http://websecurity.com.ua/4043/
06.10.2007 - found Insufficient Anti-automation vulnerability, during
conducting of my project Month of Bugs in Captchas
17.09.2009 - found Denial of Service vulnerability.
17.03.2010 - disclosed at my site.
18.03.2010 - informed developers.

These are Insufficient Anti-automation and Denial of Service

Insufficient Anti-automation:

Parameters characters, width and height fall under manipulation in the
captcha. They can be set in such way, that will allow easy bypass of the
captcha via half-automated or automated (with using of OCR) methods. And in
some systems (http://websecurity.com.ua/4046/) it's also possible to use
session reusing with constant captcha bypass method.


In that way it's possible to set two characters and increase the size of the



With setting of large values of width and height it's possible to create
large load at the server.

Best wishes & regards,
Administrator of Websecurity web site

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Vulnerabilities in CaptchaSecurityImages MustLive (Mar 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]