Captcha Bypass Vulnerability in /reg.php

[ghost]

/reg.php

if (isset($_POST[ 'name']) && isset($_POST[ 'password2']) && isset($_POST[ 'password']) && $config[ 'reg'] == 'true') {
    $username = $_POST[ 'name'];
    $email = $_POST[ 'email'];
    $password = $_POST[ 'password'];
    $password2 = $_POST[ 'password2'];
    $namecheck = $db->ExecuteSQL(sprintf("SELECT count(*) AS `count` FROM `user` WHERE `name` = '%s'", $db->SecureData($username)));
    if ($namecheck[0]['count'] > 0) {
        $err = 2;
    } elseif ($username == '') {
        $err = 0;
    } elseif ($email == '') {
        $err = 0;
    } elseif ($password == '') {
        $err = 0;
    } elseif ($password != $password2) {
        $err = 1;
    } elseif (strtolower($_POST['captcha']) != strtolower($_SESSION['captcha']['code'])) {
        $err = 4;
    } else {
        $db->insert(array('name' => $username, 'pass' => password_hash($password, PASSWORD_DEFAULT), 'email' => $email), 'user');
        $err = 3;
    }
}

As with Captcha Bypass Vulnerability in /admin/loginc.php, the following code does not check wether isset($_SESSION['captcha']['code'])==1, } elseif (strtolower($_POST['captcha']) != strtolower($_SESSION['captcha']['code'])) { So, in order to bypass this captcha, we could simply empty $_POST['captcha'], but make sure there is no previous GET request to /reg.php.

[s3131212]

Fixed in 255b44c