[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1636999222.20080116013334@SECURITY.NNOV.RU>
Date: Wed, 16 Jan 2008 01:33:34 +0300
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: "Jos?e M. Palazon Romero" <josem.palazon@...il.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Defeating audio captcha systems
Dear Jos?e M. Palazon Romero,
This approach is not new, it was demonstrated by ShAnKaR
<shankar_(at)_shankar.name> against Simple Machines Forum 1.1.2 in June,
2007.
See:
http://securityvulns.ru/Rdocument271.html (in Russian)
http://securityvulns.ru/files/capcha.pl (Exploit code)
http://www.securityfocus.com/archive/1/archive/1/471641/100/0/threaded
--Tuesday, January 15, 2008, 9:01:03 AM, you wrote to bugtraq@...urityfocus.com:
JeMPR> Hi all,
JeMPR> Some days ago I wrote an advisory which demonstrates how the
Peter's
JeMPR> Math Antispam Spinoff plugin for wordpress
JeMPR> (http://www.theblog.ca/math-anti-spam) can be defeated by its
audio file.
JeMPR> It's hard to summarize, you better read the advisory, but in a
very
JeMPR> small nutshell, the flaw its about not using any kind of
distortion on
JeMPR> the audio clip, which makes it easily identificable by a script.
JeMPR> Here is the link:
JeMPR> http://docs.google.com/View?docid=df36cd52_19xzmkwqcg
JeMPR> I'm sure you will find the advisory inspirational, as the
approach is
JeMPR> applicable to many other capthas, and anti-script methods.
JeMPR> Regards
JeMPR> Jose
--
~/ZARAZA http://securityvulns.com/
Человек это тайна... я занимаюсь этой тайной чтобы быть человеком. (Достоевский)
Powered by blists - more mailing lists