Hi,
I have found a problem, while configuring the captcha as number only with image captcha module. As I have chosen the number only [0123456789], the response accepting "." after the response.
For example if the CAPTCHA code is coming with "1567898", field is accepting "1567898." or "1567898.0" [as they are numbers] .
This is the first case. Second test case :
If the CAPTCHA CODE is "0125896", it is accepting "125896".
I have found the validate function working for this checking is "captcha_validate_ignore_spaces" on captcha/captcha.module. For immediate fix I modified the file with "===" operator instead of "==" comparison operator for this particular function. 

/**
 * CAPTCHA validation function to tests equality while ignoring spaces.
 * @param $solution the solution of the test.
 * @param $response the response to the test.
 * @return TRUE when equal (ignoring spaces), FALSE otherwise.
 */
function captcha_validate_ignore_spaces($solution, $response) {
  // return preg_replace('/\s/', '', $solution) == preg_replace('/\s/', '', $response);
  return preg_replace('/\s/', '', $solution) === preg_replace('/\s/', '', $response); 	
}

Comments

soxofaan’s picture

soxofaan CreditAttribution: soxofaan commented
Title: Security hole found on configuring only number on captcha admin configuration page » PHP string comparison hole found on configuring only number on captcha admin configuration page
Priority: Major » Minor
Status: Active » Fixed

Yet another reason to hate PHP more :)

fixed for D6 and D7 by
http://drupal.org/commitlog/commit/326/80f833c6199196f2974e56c598dac442d...
http://drupal.org/commitlog/commit/326/066f753f31cf1d09d4305381ba12226e0...

Apart from that: "Security hole" is a bit of a stretch I'm afraid. The CAPTCHA module has nothing to do with security: it only takes a human with basic reading skills to "break" a CAPTCHA :-) That makes a CAPTCHA a pretty weak security measure if you ask me.

Automatically closed -- issue fixed for 2 weeks with no activity.