Re: [Full-disclosure] Vulnerability in reCAPTCHA for Drupal


Granted I don't know or really care about drupal, and I'm not just
trying to defend MustLive,
who just seems to be a guy trying to get ahead in the world, even if
he's a little misguided; but what really gets to me is when people
dismiss issues like that. Not to mention you are assuming that the
defaults are never changed.

full path disclosure IS an information disclosure, unless the code is
designed to disclose it's filesystem path. Any information gathered by
unorthodox methods from an application that wasn't designed to do so,
is an information disclosure.

Information disclosure IS a vulnerability.

Even if an attack vector isn't known, things like filesystem
knowledge, internal varialbe names, error messages, username => id
mapping, etc can still be used from a social engineering perspective.

It is my personal belief that all vulnerabilities should be patched
regardless of existence of a known attack vector or exploit.

If an application does not behave exactly as it's intended in all circumstances:
patch || gutmann()

And, to MustLive; I hope that debugging option or whatever is turned
on by default- otherwise the quoted issue is more of a
misconfiguration.... and yes two days is a completely irrational
acknowledgment duration cap ... :( ... I've had vendors take weeks to
acknowledge an issue.. we have to gently hold the hand of vendors and
teach them how computer work.. I personally suggest putting a proper
disclosure policy on your website and then stick to it.

On 2/17/11, Michele Orru <antisnatchor@xxxxxxxxx> wrote:
If you thing that some statements from MustLive like the following:


Full path disclosure (WASC-13):

At POST request to the page with form with using of Cyrillic char in
parameter op, the error message is showing, which consists the full path on
the system.

Vulnerabilities exist at pages:http://site/user/,http://site/user/1/edit,
http://site/user/1/contact. Other pages which have forms also can be


As noted Drupal developers, these vulnerabilities appear due to turned on
debugging option in administrator panel. So for preventing of these and
other FPD at the site it's needed to turn off this option.

are not hilarious, then you're a really noob.
I mean, every Drupal user knows that the default path to register a new
user is user/register,
or that the default admin account is reachable at user/1, or that the
contact form is at the contact URI.

These are not vulnerabilities, and this is one of the many reasons why
almost no-one in FD
read his "advisories" and flag his address as spam :)


MustLive <mailto:mustlive@xxxxxxxxxxxxxxxxxx>
February 17, 2011 6:18 PM

Hello list!

I want to warn you about Insufficient Anti-automation vulnerability in
reCAPTCHA for Drupal.

In project MoBiC in 2007 I already wrote about bypassing of reCaptcha for
Drupal ( This is new method of bypassing
reCaptcha for Drupal.

Affected products:

Vulnerable are all versions of reCAPTCHA plugin for Captcha module
before 6.x-2.3 and 7.x-1.0.


Insufficient Anti-automation (WASC-21):

In different forms in Drupal the vulnerable captcha-plugin reCAPTCHA is
using. Drupal's Captcha module is vulnerable itself, so besides reCAPTCHA
other captcha-plugins also can be vulnerable (at that this exploit is a
little different from exploit for default Captcha module for Drupal).

For bypassing of captcha it's needed to use correct value of
captcha_sid, at
that it's possible to not answer at captcha (captcha_response) or set any
answer. This method of captcha bypass is described in my project Month of
Bugs in Captchas ( Attack is possible
this captcha_sid value is active.

Vulnerabilities exist on pages with forms: http://site/contact,
http://site/user/1/contact, http://site/user/password and
http://site/user/register. Other forms where reCAPTCHA is using also
will be



2010.12.11 - announced at my site.
2010.12.14 - informed reCAPTCHA developers.
2010.12.14 - informed Google (reCAPTCHA owner).
2011.02.16 - disclosed at my site.

I mentioned about this vulnerability at my site

Best wishes & regards,
Administrator of Websecurity web site

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -