1. Ignore the CAPTCHA and submit.
2. Go back, enter "undefined" in the CAPTCHA field and submit again.
3. Profit

CommentFileSizeAuthor
#1 995260-undefined-hack-01.patch1.6 KBsoxofaan
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

soxofaan’s picture

Good catch! How did you find this?

attached patch should fix it

soxofaan’s picture

Version: 6.x-2.3 » 6.x-2.x-dev

changing version to trigger test bot (hopefully)

soxofaan’s picture

Status: Active » Needs review

status too

miopa’s picture

I was wondering how many of the failed attempts were likely caused by human error as opposed to blocked spammers, and I noticed this in the dblog

comment_form post blocked by CAPTCHA module: challenge "Image" (by module "image_captcha"), user answered "", but the solution was "undefined".

The patch is fixing the bug, but now I get in the dblog

comment_form post blocked by CAPTCHA module: challenge "Image" (by module "image_captcha"), user answered "undefined", but the solution was "50af097255a6807dde16121aa7c05c36".

I think it would be better to have explanation that session reuse was detected in the log entry.

soxofaan’s picture

Hi miopa,

I think it's best to commit the patch from #1 already.
You have a point about having more information about session reuse attacks in the log, but I think this fits nicely in this feature request of you: #998326: Separate log of wrong and empty responses

soxofaan’s picture

Version: 6.x-2.x-dev » 7.x-1.x-dev
Status: Needs review » Patch (to be ported)
Issue tags: +low-hanging fruit

committed (D6): http://drupal.org/cvs?commit=466592

to be ported to D7 version

soxofaan’s picture

Status: Patch (to be ported) » Fixed

ported and committed to D7:
http://drupal.org/cvs?commit=470928

Status: Fixed » Closed (fixed)
Issue tags: -low-hanging fruit

Automatically closed -- issue fixed for 2 weeks with no activity.