As with Captcha Bypass Vulnerability in /admin/loginc.php, the following code does not check wether isset($_SESSION['captcha']['code'])==1,
} elseif (strtolower($_POST['captcha']) != strtolower($_SESSION['captcha']['code'])) {
So, in order to bypass this captcha, we could simply empty $_POST['captcha'], but make sure there is no previous GET request to /reg.php.
/reg.php
As with Captcha Bypass Vulnerability in /admin/loginc.php, the following code does not check wether isset($_SESSION['captcha']['code'])==1,
} elseif (strtolower($_POST['captcha']) != strtolower($_SESSION['captcha']['code'])) {
So, in order to bypass this captcha, we could simply empty $_POST['captcha'], but make sure there is no previous GET request to /reg.php.