I'm informing you about new vulnerabilities in WordPress plugin CapCC (http://websecurity.com.ua/2688/).
These are Insufficient Anti-automation, Cross-Site Request Forgery and SQL Injection vulnerabilities.
This captcha vulnerable to half-automated method. Which I described at my site (http://websecurity.com.ua/1595/) and which is low risk.
http://websecurity.com.ua/uploads/2008/CapCC%20CAPTCHA%20bypass.html - for every request new captcha's image-code pair is required.
Cross-Site Request Forgery:
Plugin's option page (http://site/wp-admin/plugins.php?page=capcc-config) is vulnerable for CSRF attack. Which can be used for making attacks for using of SQL Injection and Full path disclosure and Cross-Site Scripting (http://websecurity.com.ua/2699/) vulnerabilities, and also for making possibility of conducting full automated Insufficient Anti-automation attacks.
CSRF + Insufficient Anti-automation:
Because this captcha is vulnerable to SQL Injection which is making via Cross-Site Request Forgery attack, this allows full automated captcha bypass. It's doing via joint CSRF + Insufficient Anti-automation attack, which allows using of the same captcha's image-code pair all the time (lifetime of every image is set in captcha's options, by default it's 24 hours, but this also can be changed via CSRF).
http://websecurity.com.ua/uploads/2008/CapCC%20CSRF.html - first make CSRF attack.
http://websecurity.com.ua/uploads/2008/CapCC%20CAPTCHA%20bypass.html - then use the same captcha's image-code pair for all comments.
This SQL Injection vulnerability is an example of Persistent SQL Injection. It's first Persistent SQLi vulnerability which I found and the only one which I know. So with this hole I present new type of SQLi vulnerabilities.
DoS attack via SQL Injection. Attack occurs during requests to the script itself or to page with captcha. So while visiting of the site, it (via captcha) will be overloading itself.
Determining of a password via SQL Injection. It's Blind SQL Injection. If script (http://site/wp-content/plugins/capcc/capcc.php?r) shows “Expired.” than false, if “Error” than true. To determine a password it's needed to send multiple CSRF requests, so it'll take a long time. And so making first SQL Injection attack (for single request), for conducting DoS attack, will be much easier.
Vulnerable is version CapCC 1.0.
Best wishes & regards,
Administrator of Websecurity web site