xxyopen Novel-Plus Captcha Replay Vulnerability in Authentication Bypass

A critical vulnerability has been identified in xxyopen/201206030 novel-plus versions through 5.1.3. The issue resides in the ajaxLogin function of the LoginController, specifically within the CATCHA Handler component. This vulnerability allows for authentication bypass through a captcha replay attack, where an attacker can reuse a valid captcha to circumvent brute-force protection. The flaw arises because the application fails to invalidate captchas after their initial use, enabling automated attacks on user passwords. This vulnerability can be exploited remotely, although the attack's complexity is considered high.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling attackers to perform automated brute-force or dictionary attacks on user accounts, bypassing the application's brute-force protection measures.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the login function. The application will validate the captcha against the session's stored value. However, after a captcha is used, it is not invalidated, creating an opportunity to replay the same captcha multiple times. This can be automated to conduct brute-force attacks on user passwords.