Math Comment Spam Protection: Token Reuse

30 Aug 2010

On 14 August 2010 I discovered a vulnerability in the Math Comment Spam Protection plugin by Michael Wöhrer. The plug-in suffers from a flaw in which the same token can be replayed until it is up to a day old (since the date is included) allowing spam to be automated by solving a single CAPTCHA per day. A reasonable amount of time to fix has had been set at two weeks before public disclosure. I attempted to contact the vendor twice: once via his site and began the week after via e-mail.

The vulnerability lies in the function below:

function MathCheck_Aux_GenerateHash($inputstring, $day, $unique) {
 // If using WordPress: many people have defined a WP_SECRET sting in
 // wp-config.php, so we add it if it exists
 if ( defined('WP_SECRET') )
 $inputstring .= WP_SECRET;
 // Adds the file modification time of this file
 $inputstring .= filemtime(__FILE__);
 // Adds a unique value
 $inputstring .= $unique;
 // Add the IP address of the server under which the current script is executing.
 $inputstring .= getenv('SERVER_ADDR');
 // Add date
 $inputstring .= $day . date('ny');
 // Get MD5 and reverse it
 $enc = strrev(md5($inputstring));
 // Get only a few chars out of the string
 $enc = substr($enc, 28, 1) . substr($enc, 9, 1) . substr($enc, 21, 1)
 . substr($enc, 15, 1) . substr($enc, 7, 1);
 // Return result
 return $enc;

Risk assessment:

A simple text-based maths CAPTCHA such as this would not resist an automated attack anyway due to being so simple to script. So this CAPTCHA will still provide protection against bots that are not coded specifically for this plug-in, by using obfuscation rather than any solid security mechanism.