In the drupal 5 module for mollom, the captcha-only check can be by-passed by leaving out the session-id from the posted form. This patch fixes this.

CommentFileSizeAuthor
capcha_exploit.patch498 bytesBenjamin Schrauwen

Comments

dries’s picture

Status: Needs review » Fixed

Committed to DRUPAL-5. Thanks! :)

Anonymous’s picture

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

dergachev’s picture

Status: Closed (fixed) » Active

Guys, it seems to me this vulnerability still exists in the 6.x version.

dries’s picture

Can you provide steps to reproduce?

vasi’s picture

Status: Active » Closed (fixed)

Nope, on review we find it does not occur. 'Scuse us!