Skip to content
This repository has been archived by the owner on Mar 2, 2019. It is now read-only.

Captcha Bypass Vulnerability in /reg.php #25

Closed
ghost opened this issue May 10, 2017 · 1 comment
Closed

Captcha Bypass Vulnerability in /reg.php #25

ghost opened this issue May 10, 2017 · 1 comment

Comments

@ghost
Copy link

ghost commented May 10, 2017

/reg.php

if (isset($_POST[ 'name']) && isset($_POST[ 'password2']) && isset($_POST[ 'password']) && $config[ 'reg'] == 'true') {
    $username = $_POST[ 'name'];
    $email = $_POST[ 'email'];
    $password = $_POST[ 'password'];
    $password2 = $_POST[ 'password2'];
    $namecheck = $db->ExecuteSQL(sprintf("SELECT count(*) AS `count` FROM `user` WHERE `name` = '%s'", $db->SecureData($username)));
    if ($namecheck[0]['count'] > 0) {
        $err = 2;
    } elseif ($username == '') {
        $err = 0;
    } elseif ($email == '') {
        $err = 0;
    } elseif ($password == '') {
        $err = 0;
    } elseif ($password != $password2) {
        $err = 1;
    } elseif (strtolower($_POST['captcha']) != strtolower($_SESSION['captcha']['code'])) {
        $err = 4;
    } else {
        $db->insert(array('name' => $username, 'pass' => password_hash($password, PASSWORD_DEFAULT), 'email' => $email), 'user');
        $err = 3;
    }
}

As with Captcha Bypass Vulnerability in /admin/loginc.php, the following code does not check wether isset($_SESSION['captcha']['code'])==1,
} elseif (strtolower($_POST['captcha']) != strtolower($_SESSION['captcha']['code'])) {
So, in order to bypass this captcha, we could simply empty $_POST['captcha'], but make sure there is no previous GET request to /reg.php.
@s3131212
Copy link
Owner

Fixed in 255b44c

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@s3131212