20 May Security Advisory – SOS-11-007 – PHPCaptcha / Securimage 2.0.2 – Authentication Bypass
Release Date: 20-May-2011
Last Update: –
Vendor Notification Date: 04-Apr-2011
Product: Securimage / PHPCaptcha
Affected versions: 1.0.4 – 2.0.2
Severity Rating: Medium
Impact: Authentication bypass
Attack Vector: Remote without authentication
Solution Status: Vendor workaround (remove securimage_play.php)
CVE reference: Not yet assigned
PHPCaptcha, also known as Securimage, is a popular Open Source PHP CAPTCHA library. It is also used in popular WordPress plugins such as the “Fast Secure Contact Form”.
Insufficient distortion in the audio version of the CAPTCHA allows an attacker to quickly decode the CAPTCHA by performing basic binary analysis of the generated audio file. The issue is compounded by the fact that even if the audio feature of the CAPTCHA has been disabled, it can still be accessed by forceful browsing to the /secure_play.php URI.
Please refer to the PDF version of this advisory for proof of concept code examples.
Remove the script securimage_play.php and disable the use of the Audio CAPTCHA.
Phil Taylor from Sense of Security Labs.