Captcha implementation of PHP-Nuke poorly written

Several security advisories about the Captcha implementation in PHP-Nuke have been released.

The original report from Janek “waraxe” Vind states:

-Quote begins-
We can see, that challenge is called “$random_num” and response “$code” is constructed from various parts. And this algrithm means, that some specific challenge will have same response in following conditions:

1. It must be same day (because of the “$datekey”)
2. HTTP_USER_AGENT must be the same

So how to exploit this design weakness. First we need working challenge/response pair from “victim” server. For this let’s look at CAPTHA picture with numbers at login page.
Right mouse click on that picture and (in case of IE) –> properties–>address , and we can see picture url, something like this:
“http: // localhost/nuke78/modules.php?gfx=gfx&random_num=112652″
-Quote ends-

Secunia’s advice (workaround) is not to rely on the captcha feature to prevent automated logons to PHP-Nuke. SecurityFocus, in turn, warns that this flaw may be used to carry out other attacks against the login page. They list brute force attempts.

BTW: According to Secunia’s PHP-Nuke Product database

Currently, 23 out of 27 Secunia advisories, are marked as “Unpatched” in the Secunia database.

The original captcha model (“completely automated public Turing test to tell computers and humans apart”) itself is nine years old.

Share