01.20
I’ve recently received an email asking me to fix some Captcha! vulnerabilities that will allow spammers to enter automated spam comments. Such supposed vulnerabilities where published on a Russian Ukranian blog.
Puzzled about this, I checked those post. One of them claimed Captcha! is vulnerable to CSRF and the other post is about XSS.
Basically, CSRF means you visit an insecure website while logged in into our WordPress blog. If so, and the site is prepared specifically for you (that is, the hacker knows you’re going to browse him while being logged into xxyyzz.com and your’re the admin of xxyyzz.com) then he could create a malicious page to change your WP configuration (Captcha! included) awaiting for you to browse it.
Using this (rather improbable and really tricky) technique, visiting a hackers site can change Captcha! code length to 0, which disables it: Captcha! won’t check 0-length codes. The sames applies for XSS (the second vulnerability).
Protecting against CSRF
This has been fixed on version 2.6 (now avaliable for download).
For previous versions, the best protection against CSRF is to logout your WP site before browsing an insecure web site. If you tend to check the “Remember me” check box when logging in, don’t use it.
Also use a browser like Firefox with the NoScript! extension installed. This extension will warn you about this kinds of attacks even if you have forgotten to logout your WP blog.
How will this impact me?
You can relax. There’s nothing dangerous to fix, and Captcha! is safe. Simply ugprade to the latest version.
