There's a very important vulnerability I'd like to report about the Trumpflare Captcha.One thing I've noticed is that the letters that are used are very easily to manipulate. By malforming the GET request's "extra" parameter, I can make it only return

Name
Email
Subject	Spoiler Image
Comment
Flag
File
Password	(For file deletion.)

Frog 09/28/24 (Sat) 19:44:39 No.672

There's a very important vulnerability I'd like to report about the Trumpflare Captcha.

One thing I've noticed is that the letters that are used are very easily to manipulate. By malforming the GET request's "extra" parameter, I can make it only return the numbers "1488", the letter "q", or anything of that sort. Here's an example:

>A soicuck makes the captcha only return the letter "ö"
>Thus, every single captcha will have the result "ööööö"
>Captcha is bypassed and the soicuck will now spam /qa2/

My solution to this, is to stop any sort of tampering with the parameters. The default Captcha letters are "abcdefghijklmnopqrstuvwxyz", and every time a request is sent to the captcha entrypoint, compare the extras parameter from the request and the string "abcdefghijklmnopqrstuvwxyz".

Frog ## Admin 09/28/24 (Sat) 19:54:16 No.673

informative

Frog ## Admin 09/29/24 (Sun) 15:06:08 No.681

well, this isnt really a problem, as it wont let you submit

Frog 09/29/24 (Sun) 15:36:54 No.682

You should test a vulnerability next time before assuming it

Frog ## Admin 09/29/24 (Sun) 17:58:35 No.683

File: 1727632714791.png (16.54 KB, 735x208, 1703250588757.png)ImgOps Yandex

kek, its keyed