Skip Menu |

This queue is for tickets about the Authen-Captcha CPAN distribution.

Report information
The Basics
Id: 7664
Status: resolved
Priority: 0/
Queue: Authen-Captcha
People
Owner: Nobody in particular
Requestors: GRUBER [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Wishlist
Broken in: (no value)
Fixed in: 1.023_001

History Show all quoted text
  Thu Sep 16 06:40:02 2004 GRUBER [...] cpan.org - Ticket created
Subject: improve Authen::Captcha security
Hi, I think this patch should somewhat improve Captcha.pm security, otherwise it is too easy to brute-force md5 sums. [The patch below might have white-space problems, since I am entering this in a web-form, cut-n-pasting my earlier E-mail] --- Captcha.pm.orig Mon May 10 10:58:05 2004 +++ Captcha.pm Mon May 10 11:06:24 2004 @@ -65,6 +65,7 @@ sub new my $keep_failures = (defined($opts{keep_failures}) && $opts{keep_failures}) ? 1 : 0; $self->keep_failures($keep_failures); + $self->secret($opts{secret} || ""); # create a random seed if perl version less than 5.004 if ($] < 5.005) @@ -193,6 +194,18 @@ sub data_folder } } +sub secret +{ + ref(my $self = shift) or croak "instance variable needed"; + if (@_) + { # it's a setter + $self->{_secret} = $_[0]; + return $self->{_secret}; + } else { + return $self->{_secret}; + } +} + sub check_code { @@ -214,7 +227,7 @@ sub check_code # they could be confused with (o) and (l), so we swap them in $code =~ tr/01/ol/; - my $md5 = md5_hex($code); + my $md5 = md5_hex($code . $self->secret); # pull in current database warn "Open File: $database_file\n" if($self->debug() >= 2); @@ -490,7 +503,7 @@ sub generate_code my $length = shift; my $code = $self->generate_random_string($length); - my $md5 = md5_hex($code); + my $md5 = md5_hex($code . $self->secret); my ($captcha_data_ref,$output_filename); if ($self->type() eq 'image') @@ -625,6 +638,7 @@ See the method descriptions for more det height => 35, # optional. default 35 images_folder => '/some/folder', # optional. default to lib dir keep_failures => 0, # optional, defaults to 0(false) + secret => "", # optional, defaults to "" debug => 0, # optional. default 0 =back @@ -694,6 +708,14 @@ Optional. Number of pixels wide for the =item C<$captcha-E<gt>keep_failures( [0|1] );> Optional. Defaults to zero. This option controls whether or not the captcha will remain valid +after a failed attempt. By default, we only allow one attempt to solve it. This greatly +reduces the possibility that a bot could brute force a correct answer. Change it at your own +risk. + +=item C<$captcha-E<gt>secret( "SuperSecret" );> + +Optional. Defaults to an empty string. This option is meant to prevent +brute-force captcha circumvention by calculating md5 sum of multiple +valid codes and comparing them with the image file name. Obviously, the +secret should be the same for creating and checking the captcha. It is a +good idea to set it to something else than the default. =item C<$captcha-E<gt>debug( [0|1|2] );> Cheers, \Anton.
  Wed Mar 12 11:32:19 2014 lubo.rintel [...] gooddata.com - Correspondence added
Hi! Thanks for your report. We've just uploaded 1.024 that addresses this issue to CPAN and it will hit mirrors in a couple of hours. Have a nice day! Lubo
  Wed Mar 12 11:32:19 2014 The RT System itself - Status changed from 'new' to 'open'
  Wed Mar 12 11:32:20 2014 lubo.rintel [...] gooddata.com - Status changed from 'open' to 'resolved'
  Wed Mar 12 11:32:20 2014 lubo.rintel [...] gooddata.com - Fixed in 1.023_001 added