Being able to bypass recaptcha validation because g-recaptcha-response is not validated on every request

Created on 3 December 2019, almost 5 years ago

Updated 9 December 2023, 10 months ago

This got "Closed (can be public)" from security.drupal.org

How to reproduce

1. Enabling the recaptcha 8.x-2.4 and captcha 8.x-1.0-beta4 modules.
2. Enable Drupal page cache.
3. Add reCaptcha to any form.
4. Make sure caching works by getting same captcha_sid and captcha_token for form in each page request.
5. Submit the form by solving the reCaptcha. Copy the request as curl.
6. Alter the g-recaptcha-response value and create new POST request with curl.
7. Altered POST request goes through without any captcha validation errors.

Possible solutions

- Instead of recaptcha module use simple_recaptcha → , since it works with page cache and. At least as long as #3095035: Is reCAPTCHA still being maintained? → is not resolved.
- #2219993-54: Enable cacheable captcha support (once 2449209 is committed) → patch to recaptcha module to disable cache.

🐛 Bug report

Status

Closed: outdated

Version

2.0

Component

General

Created by

🇫🇮Finland sokru

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 10 months ago →
🇨🇦Canada Liam Morland Ontario, CA 🇨🇦
8.x-2.x is no longer supported. If this applies to 8.x-3.x, please re-open.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024