Last Edit (Effective: 7th November 2013)
It seems like the plugin authors updated the security of the plugin. All
the bottom blog entry deals with version 3.8.7. In this new paragraph, I
will look whether these recent updates to version
3.8.8
added the necessary security to prevent conducting an...
- Attack vector one: Parsing the captcha logic.
- Attack vector two: Reversing the decode() function and just reading the solution from the hidden fields.
Let's get started:
At line 942 of the plugin code
(The start of the function that generates the captcha) we see that the
password isn't longer a static clear text password, it is built
dynamically every 24 hours with the function cptch_generate_key()
,
that I will show here for your convenience:
// Functionality of the captcha logic work for custom form
if ( ! function_exists( 'cptch_display_captcha_custom' ) ) {
function cptch_display_captcha_custom() {
global $cptch_options, $cptch_time;
if ( ! isset( $cptch_options['cptch_str_key'] ) )
$cptch_options = get_option( 'cptch_options' );
if ( $cptch_options['cptch_str_key']['key'] == '' || $cptch_options['cptch_str_key']['time'] < time() - ( 24 * 60 * 60 ) )
cptch_generate_key();
$str_key = $cptch_options['cptch_str_key']['key'];
Let's see if the new function cptch_generate_key()
is sufficiently
random enough. Here is the function code:
/* generate key */
if ( ! function_exists( 'cptch_generate_key' ) ) {
function cptch_generate_key( $lenght = 15 ) {
global $cptch_options;
/* Under the string $simbols you write all …
Continue reading