Release Date: 20-May-2011

Last Update: –

Vendor Notification Date: 04-Apr-2011

Product: Securimage / PHPCaptcha

Platform: PHP

Affected versions: 1.0.4 – 2.0.2

Severity Rating: Medium

Impact: Authentication bypass

Attack Vector: Remote without authentication

Solution Status: Vendor workaround (remove securimage_play.php)

CVE reference: Not yet assigned

Details

PHPCaptcha, also known as Securimage, is a popular Open Source PHP CAPTCHA library. It is also used in popular WordPress plugins such as the “Fast Secure Contact Form”.

Insufficient distortion in the audio version of the CAPTCHA allows an attacker to quickly decode the CAPTCHA by performing basic binary analysis of the generated audio file. The issue is compounded by the fact that even if the audio feature of the CAPTCHA has been disabled, it can still be accessed by forceful browsing to the /secure_play.php URI.

Please refer to the PDF version of this advisory for proof of concept code examples.

Solution

Remove the script securimage_play.php and disable the use of the Audio CAPTCHA.

Discovered By

Phil Taylor from Sense of Security Labs.