ID CVE-2007-0658 Type cve Reporter cve@mitre.org Modified 2017-07-29T01:30:00
Description
The (1) Textimage 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal and the (2) Captcha 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal allow remote attackers to bypass the CAPTCHA test via an empty captcha element in $_SESSION.
{"osvdb": [{"lastseen": "2017-04-28T13:20:28", "bulletinFamily": "software", "cvelist": ["CVE-2007-0658"], "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://cvs.drupal.org/viewcvs/drupal/contributions/modules/captcha/captcha.module?r1=1.25.2.1&r2=1.25.2.2\n[Vendor Specific Advisory URL](http://drupal.org/node/114364)\n[Secunia Advisory ID:23985](https://secuniaresearch.flexerasoftware.com/advisories/23985/)\n[Secunia Advisory ID:23983](https://secuniaresearch.flexerasoftware.com/advisories/23983/)\nKeyword: DRUPAL-SA-2007-006\nISS X-Force ID: 31994\nISS X-Force ID: 31984\nFrSIRT Advisory: ADV-2007-0431\n[CVE-2007-0658](https://vulners.com/cve/CVE-2007-0658)\nBugtraq ID: 22329\n", "edition": 1, "modified": "2007-01-30T06:33:52", "published": "2007-01-30T06:33:52", "href": "https://vulners.com/osvdb/OSVDB:32137", "id": "OSVDB:32137", "title": "Drupal Captcha Module Bypass", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:28", "bulletinFamily": "software", "cvelist": ["CVE-2007-0658"], "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://cvs.drupal.org/viewcvs/drupal/contributions/modules/textimage/captcha.inc?r1=1.1&r2=1.1.2.1\n[Vendor Specific Advisory URL](http://drupal.org/node/114519)\n[Secunia Advisory ID:23985](https://secuniaresearch.flexerasoftware.com/advisories/23985/)\nKeyword: DRUPAL-SA-2007-007\n[CVE-2007-0658](https://vulners.com/cve/CVE-2007-0658)\n", "edition": 1, "modified": "2007-01-30T08:33:46", "published": "2007-01-30T08:33:46", "href": "https://vulners.com/osvdb/OSVDB:32138", "id": "OSVDB:32138", "title": "Drupal Textimage Module Bypass", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2021-01-20T10:04:12", "description": "The version of Drupal installed on the remote host includes at least\none third-party module that adds a captcha to various forms (e.g. user\nregistration) that is affected by a security bypass vulnerability. A\nremote attacker, using a specially crafted 'edit[captcha_response]'\nparameter, can bypass modules designed to protect from automated\nabuse.", "edition": 27, "published": "2007-02-01T00:00:00", "title": "Drupal Multiple Module $_SESSION Manipulation CAPTCHA Bypass", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-0658"], "modified": "2007-02-01T00:00:00", "cpe": ["cpe:/a:drupal:drupal", "cpe:/a:drupal:textimage"], "id": "DRUPAL_CAPTCHA_BYPASS.NASL", "href": "https://www.tenable.com/plugins/nessus/24264", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(24264);\n script_version(\"1.26\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2007-0658\");\n script_bugtraq_id(22329);\n\n script_name(english:\"Drupal Multiple Module $_SESSION Manipulation CAPTCHA Bypass\");\n script_summary(english:\"Attempts to bypass captcha when registering as a new user in Drupal.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by a\nsecurity bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Drupal installed on the remote host includes at least\none third-party module that adds a captcha to various forms (e.g. user\nregistration) that is affected by a security bypass vulnerability. A\nremote attacker, using a specially crafted 'edit[captcha_response]'\nparameter, can bypass modules designed to protect from automated\nabuse.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/node/114364\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/node/114519\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Drupal captcha module version 4.7-1.2 / 5.x-1.1 and/or\ntextimage module version 4.7-1.2 / 5.x-1.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:U/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/01/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/02/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:drupal:drupal\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:drupal:textimage\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"drupal_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"installed_sw/Drupal\", \"www/PHP\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Drupal\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port\n);\n\ndir = install['path'];\n\n# Make sure the affected script exists.\nbase_url = build_url(qs:dir, port:port);\nvuln = FALSE;\n\nurl = dir + \"/user/register\";\nr = http_send_recv3(port:port, method: \"GET\", item: url, exit_on_fail:TRUE);\n# Clean URLS may not be enabled\nif (r[0] =~ '404 Not Found')\n{\n url = dir + \"/?q=user/register\";\n r = http_send_recv3(port:port, method: \"GET\", item: url, exit_on_fail:TRUE);\n}\n\n# If it does and uses a captcha...\nif (\n 'value=\"Create new account\"' >< r[2] &&\n 'captcha_response' >< r[2]\n)\n{\n # The $_SESSION needs to be blank, so clear all cookies\n clear_cookiejar();\n user = SCRIPT_NAME - \".nasl\" + \"-\" + unixtime();\n # Drupal 4.x\n if (' name=\"edit[captcha_response]\"' >< r[2])\n {\n # Try to bypass the captcha when registering.\n postdata =\n \"edit[captcha_response]=%80&\" +\n \"edit[name]=\"+ user + \"&\" +\n # nb: this causes the registration to fail!\n \"edit[mail]=\"+ user + \"&\" +\n \"edit[form_id]=user_register&\" +\n \"op=Create+new+account\";\n r = http_send_recv3(\n method : \"POST\",\n port : port,\n item : url,\n data : postdata,\n content_type: \"application/x-www-form-urlencoded\",\n exit_on_fail : TRUE\n );\n }\n # Drupal 5.x\n else\n {\n # Try to bypass the captcha when registering.\n postdata =\n \"captcha_response=%80&\" +\n \"name=\"+ user + \"&\" +\n # nb: this causes the registration to fail!\n \"mail=\"+ user + \"&\" +\n \"form_id=user_register&\" +\n \"op=Create+new+account\";\n r = http_send_recv3(\n method : \"POST\",\n port : port,\n item : url,\n data : postdata,\n content_type: \"application/x-www-form-urlencoded\",\n exit_on_fail : TRUE\n );\n\n }\n # There's a problem if it looks like the registration is ok\n # except for the email address.\n pat = \"The e-mail address <em>\" + user + \"</em> is not valid.\";\n if (\n pat >< r[2] &&\n (\n # nb: error if captcha type is 'captcha'.\n \"The answer you entered to the math problem is incorrect.\" >!< r[2] &&\n # nb: error if captcha type is 'textimage'.\n \"The image verification code you entered is incorrect\" >!< r[2]\n )\n )\n {\n vuln = TRUE;\n output = strstr(r[2], pat);\n }\n}\nelse exit(0, 'The '+app+' install at '+base_url+' does not use captchas.');\n\nif (vuln)\n{\n rep_extra = 'The above request attempts to register a user with an invalid'+\n '\\nemail address and an empty captcha value which will result in only' +\n '\\nan error regarding the invalid email if successful. A failed' +\n '\\nbypass attempt would result in an error for the catpcha field.';\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n generic : TRUE,\n line_limit : 5,\n rep_extra : rep_extra,\n request : make_list(http_last_sent_request()),\n output : chomp(output)\n );\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, base_url);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:23", "bulletinFamily": "software", "cvelist": ["CVE-2007-0659", "CVE-2007-0379", "CVE-2007-0385", "CVE-2007-0590", "CVE-2006-6962", "CVE-2007-0700", "CVE-2007-0362", "CVE-2007-0382", "CVE-2006-5047", "CVE-2007-0469", "CVE-2007-0386", "CVE-2007-0611", "CVE-2007-0696", "CVE-2007-0380", "CVE-2007-0497", "CVE-2007-0589", "CVE-2007-0489", "CVE-2007-0660", "CVE-2007-0378", "CVE-2007-0695", "CVE-2007-0759", "CVE-2007-0364", "CVE-2007-0384", "CVE-2007-0658", "CVE-2007-0699"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2007-02-02T00:00:00", "published": "2007-02-02T00:00:00", "id": "SECURITYVULNS:VULN:7151", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7151", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
