ISS X-Force Database: lanap-botdetect-captcha-security-bypass(27409): Lanap BotDetect ASP.NET CAPTCHA security bypass

Lanap BotDetect ASP.NET CAPTCHA security bypass

lanap-botdetect-captcha-security-bypass (27409)

Medium Risk

Description:

Lanap BotDetect ASP.NET could allow a remote attacker to bypass the CAPTCHA implementation. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a test tool used to determine if a request is from a human user or has been automated. The CAPTCHA component uses the page viewState to store the UUID and hash for a given CAPTCHA. An attacker could replay a viewState of a known number to bypass the CAPTCHA security feature.

Platforms Affected:

Lanap Software, Lanap BotDetect prior to 1.5.4.0

Remedy:

Upgrade to the latest version of Lanap BotDetect (1.5.4.0 or later), available from the Lanap Software Web site. See References

Consequences:

Bypass Security

References:

BugTraq Mailing List, Thu Jun 22 2006 - 14:32:32 CDT , SYMSA-2006-005 at http://archives.neohapsis.com/archives/bugtraq/2006-06/0508.html.
Lanap Software Web site, ASP CAPTCHA & ASP.NET CAPTCHA components to prevent automated registrations on your website at http://www.lanapsoft.com/.
Symantec Vulnerability Research Security Advisory SYMSA-2006-005, Lanap CAPTCHA bypass exposure at http://www.symantec.com/enterprise/research/SYMSA-2006-005.txt.
BID-18315: Lanap BotDetect CAPTCHA ASP.NET Bypass Weakness
CVE-2006-2918: The Lanap BotDetect APS.NET CAPTCHA component before 1.5.4.0 stores the UUID and hash for a CAPTCHA in the ViewState of a page, which makes it easier for remote attackers to conduct automated attacks by replaying the ViewState for a known number.
SA20830: Lanap BotDetect ASP.NET CAPTCHA Bypass Weakness
SECTRACK ID: 1016371: Lanap BotDetect CAPTCHAs Can Be Bypassed By Remote Users
VUPEN/ADV-2006-2518: Lanap BotDetect ASP.NET CAPTCHA ViewState Handling Security Bypass Vulnerability

Reported:

Jun 23, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page