lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 22 Mar 2010 21:51:24 +0200
From: "MustLive" <>
To: <>
Subject: Vulnerabilities in CaptchaSecurityImages

Hello Bugtraq!

I want to warn you about security vulnerabilities in CaptchaSecurityImages.
It's captcha script which is using at many web sites and engines.

Advisory: Vulnerabilities in CaptchaSecurityImages
06.10.2007 - found Insufficient Anti-automation vulnerability, during
conducting of my project Month of Bugs in Captchas
17.09.2009 - found Denial of Service vulnerability.
17.03.2010 - disclosed at my site.
18.03.2010 - informed developers.

These are Insufficient Anti-automation and Denial of Service

Insufficient Anti-automation:

Parameters characters, width and height fall under manipulation in the
captcha. They can be set in such way, that will allow easy bypass of the
captcha via half-automated or automated (with using of OCR) methods. And in
some systems ( it's also possible to use
session reusing with constant captcha bypass method.


In that way it's possible to set two characters and increase the size of the



With setting of large values of width and height it's possible to create
large load at the server.

Best wishes & regards,
Administrator of Websecurity web site

Powered by blists - more mailing lists