[Security announcements] Textimage - response validation bypass

Submitted by oliver on Wed, 2007-01-31 13:12.

And of course... We already updated...

------------TEXTIMAGE - RESPONSE VALIDATION BYPASS------------

* Advisory ID: DRUPAL-SA-2007-007

* Project: Textimage (third-party module)

* Version: 4.7.x, 5.x

* Date: 2007-Jan-31

* Security risk: Less critical

* Exploitable from: Remote

* Vulnerability: Captcha bypass

------------DESCRIPTION------------

Captcha validation by Textimage can be bypassed by manipulating request
variables while posting. This defeats the purpose of the captcha and makes
automated submission possible.

------------VERSIONS AFFECTED------------

* All versions of Textimage 4.7.x prior to Textimage 4.7-1.2.

* All versions of Textimage 5.x prior to Textimage 5.x-1.1.

Drupal core is not affected. If you do not use the contributed Captcha module,
there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* If you use Drupal 4.7.x use Textimage 4.7.x-1.2
[http://drupal.org/node/114517].

* If you use Drupal 5.x use Textimage 5.x-1.1
[http://drupal.org/node/114518].

See also the Textimage project page [http://drupal.org/project/textimage].
------------REPORTED BY------------

Thomas Nilsson.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [http://drupal.org/contact].

redhat.at

Navigation

User login

[Security announcements] Textimage - response validation bypass

Similar entries

Bloggers

Who's new

Who's online

Online users

Search

Recent blog posts