Login Captcha is easily bypassed!

This could very easily be tied to my last bug

Is there anything else out there that accomplishes the same task that captcha does?

I believe I atleast found out where the problem is - just don't know the how to fix it..

function captcha_form_alter($formid, &$form) {

.......

if ($flag && isset($trigger)) {
$form['#submit'] = array('captcha_submit' => array()) + $form['#submit'];
if (!_captcha_validate($_POST['edit']['captcha_response'])) {
//use call_func because module_invoke does not allow call by reference.
if (module_hook($captcha_type, 'captchachallenge')) {
call_user_func_array($captcha_type.'_captchachallenge', array(&$form, &$_SESSION['captcha']));
}
}
}

That is the code that prints out the captcha on the forms you want them on. The IF statement IS being called even though the captcha IS NOT showing up. I haven't really looked yet, but whatever functions it is using to attach the form is where the problem is...

I think.

..Anyone out there wanna help?

making some more progress..

if you change that loop to:

if ($flag && isset($trigger)) {
$form['#submit'] = array('captcha_submit' => array()) + $form['#submit'];
//use call_func because module_invoke does not allow call by reference.
if (module_hook($captcha_type, 'captchachallenge')) {
call_user_func_array($captcha_type.'_captchachallenge', array(&$form, &$_SESSION['captcha']));
}
}

which just removes the middle IF statement - it achieves two goods things, but still one problem. 1) it shows the captcha after the login is submiited (w/ incorrect pw or username) 2) If the captcha entry was correct the first time, no more errors will be thrown.

but now the problem is this..the captcha changes after the login is submitted BUT only the first answer works...the answer remains in the text box - but it will look too weird if you keep it this way.

so we need ONE of two solutions:
1) once the captcha is verified for a certain form, it goes away until submission is done (dont like this one, this opens up spam now)
2) the captcha changes like it does, but needs a new answer (this is much better)

i will keep trying..anyone else feel free to jump in..the funny thing is I don't even know php

the problem might be in :

function captcha_submit() {
if($_SESSION['captcha_correct']) {
unset($_SESSION['captcha_correct']);
unset($_SESSION['captcha']);
}
}

after submitting, if it is correct, we need the captcha to start from scratch, even if the password was incorrect and the form is still there. we need a brand new captcha then. if it is correct and the password is correct, then theres no form , and no problem.

this code calls to unset it if it is sucessful, but i think the problem is that since it is the same form (when the pw is wrong) that it doesnt show a new captcha...need some help

i think this might be important too..

the captcha submit function ONLY gets called if the login is completely successful...

function captcha_submit() {
if($_SESSION['captcha_correct']) {
unset($_SESSION['captcha_correct']);
unset($_SESSION['captcha']);
}
}

shouldn't it be called and reset regardless of the outcome of the login?

I can't figure this out..

Other people MUST be having this problem..and how about the node submission problem. With captcha enabled you CANNOT submit anything on my site..

No one can fix this?

Another BUG: There is a way to bypass the captcha when logging in. I was able to log in after a few failed attempts and some other things while getting the captcha incorrect. And no one has noticed this?

Its easier than i thought...

Go to the login page (not block)

Enter a valid username / pw

ignore the captcha field

After the error flags SIMPLY press the 'log in' tab and BINGO

I thought the rapid amount of posts would raise some attention. Thank you for supporting. I believe my other issue regarding node and comment submission is an extremely critical bug as well. That should be addressed as well.

awesome let me try it out. great to see someone finally taking an interest in the case. I will let you know how it works out. Did you look into the bug with previewing nodes and comments?

Am i doing something wrong? patch -p0 < user_login_captcha.patch ?

Are you sure that doesn't effect anything else?

Is it possible to just block people who fail a login attempt say X amount of times in X amount of time, like most good forums do. Or maybe a time gap each login?

Just thinking..

Do you guys see the bug in this module that pertains to submitting nodes and comments if you press 'preview' ?

i did a while ago. no one has addressed it.

Thats irrelevant. Yes it does prove that you are human. But if you read the any of the posts you will see the actual problems.