2008
01.20

Captcha Unsafe?

I’ve recently received an email asking me to fix some Captcha! vulnerabilities that will allow spammers to enter automated spam comments. Such supposed vulnerabilities where published on a Russian Ukranian blog.

Puzzled about this, I checked those post. One of them claimed Captcha! is vulnerable to CSRF and the other post is about XSS.

Basically, CSRF means you visit an insecure website while logged in into our WordPress blog. If so, and the site is prepared specifically for you (that is, the hacker knows you’re going to browse him while being logged into xxyyzz.com and your’re the admin of xxyyzz.com) then he could create a malicious page to change your WP configuration (Captcha! included) awaiting for you to browse it.

Using this (rather improbable and really tricky) technique, visiting a hackers site can change Captcha! code length to 0, which disables it: Captcha! won’t check 0-length codes. The sames applies for XSS (the second vulnerability).

Protecting against CSRF

This has been fixed on version 2.6 (now avaliable for download).

For previous versions, the best protection against CSRF is to logout your WP site before browsing an insecure web site. If you tend to check the “Remember me” check box when logging in, don’t use it.

Also use a browser like Firefox with the NoScript! extension installed. This extension will warn you about this kinds of attacks even if you have forgotten to logout your WP blog.

How will this impact me?

You can relax. There’s nothing dangerous to fix, and Captcha! is safe. Simply ugprade to the latest version.

Share
  1. Visitas a web…

    Gracias por la información. Lo cierto es que sin tráfico o entradas a tu web, dejan de tener sentido las webs. Las visitas son lo que le da vida y más si existe un feedback con los usuarios. También se puede aprender mucho de ellos….

    Like or Dislike: Thumb up 0 Thumb down 0

  2. Hi, I just got hooked to ur captcha module and it worked wonderful till I enable Google analytics plugin of wordpress, Ultimate Google Analytics.
    Any idea why UGA is spoiling captcha module?

    Thanks for ur time..

    Like or Dislike: Thumb up 0 Thumb down 0

  3. R_de_Rumba:

    Siento lo que te ha pasado. He visto el “defacing”, pero he tenido que
    ir a clases de doctorado.
    Acabo de llegar a casa. Veo que tu blog ya está restaurado.

    Es probable que hayas sido víctima de un “SQL injection”, que había en
    WP 2.3.1, o puede que te hayan hecho lo del ataque XSS, pero lo veo
    improbable.

    Así que no creo que sea cosa tuya ni de Captcha! Supongo que ya lo
    habrán corregido los administradores de tu hosting. Si eres tú quien
    instala tu propio WP, ponte siempre que puedas la última versión, y
    estate atendo al DashBoard (Tablón de Anuncios del panel de
    administración) pues anuncian los parches y actualizaciones que van
    saliendo.

    Like or Dislike: Thumb up 0 Thumb down 0

  4. Buenas, estaba buscando solucion a un hackeo que me han hecho a mi blog y me gustaria saber si podrias ayudarme un poco con esta movida.

    Ha sido hackeado por un gilipollas y me gustaria saber que hacer para arreglarlo ya que ha cambiado la cuenta de administrador.

    Si lo deseas, puedes responderme por mail.

    Eternamente agradecido.

    Like or Dislike: Thumb up 0 Thumb down 0

  5. Hello Boriel.

    It’s good that you fixed these holes. Always attend to security of all of yours web sites and web applications.

    And my site is Ukrainian blog ;-).

    Like or Dislike: Thumb up 0 Thumb down 0