SecurityReason - Lanap CAPTCHA bypass exposure

Advisory Text :

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

Symantec Vulnerability Research

http://www.symantec.com/research

Security Advisory

Advisory ID : SYMSA-2006-005

Advisory Title: Lanap CAPTCHA bypass exposure

Author : Michael White, michael_white (at) symantec (dot) com [email
concealed] and

Graham Murphy, graham_murphy (at) symantec (dot) com [email concealed]

Release Date : 23-06-2006

Application : BotDetect Lanap CAPTCHA component

Platform : ASP.NET

Severity : Low/Limited exposure

Vendor status : Vendor verified, patch available

CVE Number : CVE-2006-2918

Reference : http://www.securityfocus.com/bid/18315

Overview:

The CAPTCHA component for ASP.NET provided by Lanap may be

completely bypassed, thus undermining the security benefit

of the CAPTCHA technology.

Details:

During a consulting engagement, Symantec identified that the

Lanap CAPTCHA component stores the UUID and hash for a given

CAPTCHA within the page ViewState. By replaying the ViewState

for a known number, a remote attacker may avoid the CAPTCHA

entirely.

This behaviour is dependent on the way in which the Lanap

component is integrated, however numerous examples including

Lanap's demo code are identified as exhibiting this behaviour.

Vendor Response:

The above vulnerability has been fixed in the latest release

of the product, BotDetect ASP.NET CAPTCHA 1.5.4.0.

Licensed and evaluation versions of Lanap BotDetect ASP.NET

CAPTCHA are available for customer download from the Lanap

website at http://www.lanapsoft.com

If there are any further questions about this statement, please

contact Lanap support.

Recommendation:

Upgrade to the latest release of the product,

BotDetect ASP.NET CAPTCHA 1.5.4.0.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned

the following names to these issues. These are candidates for

inclusion in the CVE list (http://cve.mitre.org), which standardizes

names for security problems.

CVE-2006-2918

- - - - -------Symantec Vulnerability Research Advisory Information-------

For questions about this advisory, or to report an error:

research (at) symantec (dot) com [email concealed]

For details on Symantec's Vulnerability Reporting Policy:

http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf

Symantec Vulnerability Research Advisory Archive:

http://www.symantec.com/research/

Symantec Vulnerability Research GPG Key:

http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc

- - - - -------------Symantec Product Advisory Information-------------

To Report a Security Vulnerability in a Symantec Product:

secure (at) symantec (dot) com [email concealed]

For general information on Symantec's Product Vulnerability reporting and
response:

http://www.symantec.com/security/

Symantec Product Advisory Archive:

http://www.symantec.com/avcenter/security/SymantecAdvisories.html

Symantec Product Advisory PGP Key:

http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.a
sc

- - - - ---------------------------------------------------------------

Copyright (c) 2006 by Symantec Corp.

Permission to redistribute this alert electronically is granted

as long as it is not edited in any way unless authorized by

Symantec Consulting Services. Reprinting the whole or part of

this alert in any medium other than electronically requires

permission from cs_advisories (at) symantec (dot) com. [email concealed]

Disclaimer

The information in the advisory is believed to be accurate

at the time of publishing based on currently available information.

Use of the information constitutes acceptance for use in an

AS IS condition. There are no warranties with regard to this

information.

Neither the author nor the publisher accepts any liability

for any direct, indirect, or consequential loss or damage

arising from use of, or reliance on, this information.

Symantec, Symantec products, and Symantec Consulting Services

are registered trademarks of Symantec Corp. and/or affiliated

companies in the United States and other countries. All other

registered and unregistered trademarks represented in this

document are the sole property of their respective

companies/owners.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEmZKGuk7IIFI45IARAshOAJ9/x0C9NsmCuo43amlpnOAGKtonPgCg2XPQ

dBEH77ubEwyEjWGaFiTt4bw=

=QhH/

-----END PGP SIGNATURE-----