Security issue: Any captcha plugin other than ReCaptcha not working

[c-schmitz]

I installed a custom captcha plugin in Joomla. On posting a new message to the forum it is correctly shown, but I can enter any response. The result is not checked and the message accepted

To Reproduce Steps to reproduce the behavior:

1. Install any custom captcha plugin in Joomla. Deactivate all other captcha plugins.
2. Set in Kunena settings that captchas are required for new messages & new users
3. Log in as a new user and create a new forum post. The captcha for the installed plugin is shown normally.
4. Enter no captcha response or an incorrect captcha response string.

Expected behavior Error message on submit saying that the Captcha is wrong

Actual result No error message, Message gets posted

System information

Joomla version: 4.4.3 Kunena version: 6.2.0

[xillibit]

Hello,

There is a change merged into K6.3 that you can find in the beta1 : https://github.com/Kunena/Kunena-Forum/pull/9595

Can-you try with that please ?

[c-schmitz]

Ah great,. Yes, will check in the next few day and give feedback.

[xillibit]

Did-you have the time to check ? You can try with the beta2 : https://github.com/Kunena/Kunena-Forum/releases/tag/6.3-beta2

[c-schmitz]

Hi - I tested today with beta2 and there was no difference. The captcha would still be ignored as described above.

[Ruud68]

Hi @c-schmitz can you tell me which (joomla) captcha plugin you are using?

[c-schmitz]

plg_easycalccheckcaptcha_pro_v4.3.0.0.zip This one.

[Ruud68]

Hi @c-schmitz can you test #9660 Can you also remove the download in this comment: https://github.com/Kunena/Kunena-Forum/issues/9640#issuecomment-1999541948 to prevent downloads by people who do not have a subscription :)

Was able to reproduce with your plugin (issue with google captchas is that you cannot make them fail: they are always valid, so that was impossible to test).

[c-schmitz]

Well, it is an GPL3 Open Source plugin, subscription is only for updates & support. :-) I will check the PR soon.

[Gindi50]

I do not know if this is interesting: I replied to a post as a guest (without logging in) on my test server with Joomla 5.0.3 and 6.3.0-BETA3-DEV-2024-03-12 with the latest updates in the guest area and then also created my own topic as a guest. In both cases the save was accepted without an error message. No captcha window appeared, but a small window "Privacy Policy - Terms of Use" appears in the bottom right corner and at Hoover the window opens and it says "protected by reCHAPTA Privacy Policy - Terms of Use".
In the Joomla configuration, the default captcha is set to Invisible reCAPTCHA

If I do the same with Joomla 5.0.3 and Kunena 6.2.4, the result is the same, with the difference that under the editor input window in bold letters reCaptcha is written but without query window. The small window at the bottom right is also there.

[Ruud68]

Hi @Gindi50 , this is correct the 'reCaptxha' label in 6.2 was independent of which captcha was selected. I removed the label so the selected captcha is in charge of the display. In the case of the invisible it then is actually invisible, so no reCaptcha label but no label

[c-schmitz]

I can confirm that 6.3RC1 is fixing the issue.