Captcha Bypass Vulnerability in /admin/loginc.php #23

viccon · 2017-05-10T03:04:29Z

/admin/loginc.php

include '../config.php';
if (!session_id()) {
    session_start();
}
$res = $db->select('setting', array('name' => 'admin'));
if ($_POST['password'] == $res[0]['value'] && strtolower($_POST['captcha']) == strtolower($_SESSION['captcha']['code'])) {
    $_SESSION['alogin'] = true;
    header('Location: index.php');
} else {
    header('Location: login.php?err=1');
}

Note that $_SESSION['captcha']['code'] is set in /captcha/simple-php-captcha.php.
To bypass the captcha verification, we simply need to empty the $_POST['captcha'], but be sure there is no previous request to /captcha/simple-php-captcha.php.

How to fix:

- if ($_POST['password'] == $res[0]['value'] && strtolower($_POST['captcha']) == strtolower($_SESSION['captcha']['code'])) {
+ if ($_POST['password'] == $res[0]['value'] && isset($_SESSION['captcha']['code']) && strtolower($_POST['captcha']) == strtolower($_SESSION['captcha']['code'])) {

The text was updated successfully, but these errors were encountered:

s3131212 · 2017-05-10T15:12:05Z

Fixed in 255b44c

s3131212 closed this as completed May 10, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Captcha Bypass Vulnerability in /admin/loginc.php #23

Captcha Bypass Vulnerability in /admin/loginc.php #23

viccon commented May 10, 2017

s3131212 commented May 10, 2017

Captcha Bypass Vulnerability in /admin/loginc.php #23

Captcha Bypass Vulnerability in /admin/loginc.php #23

Comments

viccon commented May 10, 2017

s3131212 commented May 10, 2017