The Support Forums will be in read-only mode for a scheduled maintenance window on 01 September 2016 14:00 UTC - 20:00 UTC. More information.

Cimy User Extra Fields
[resolved] User avoiding reCAPTCHA can still register (7 posts)

  1. corij
    Posted 4 years ago #

    Ran into a potential security issue that would allow any user to bypass reCAPTCHA and registration will still work.

    I am using Firefox (8.0) and the RequestPolicy add-in (v0.5.23). That add-on allows me to block browser requests to other sites. In this case, it was blocking the request to google for the reCAPTCHA.
    With it blocked, I expected the registration to fail, as it would not have a valid code (since it never showed up on the page).
    Turns out it let me register as if there was no reCAPTCHA (of course, there was none on screen).

    I don't think this is an reCAPTCHA problem. If I use a service like hotfile.com, and I block google/recaptcha, it won't let me continue. I have to enable/unblock in order for it to continue. However, with the cimy plug-in, if i block google/recaptcha, it proceeds as if it never needed the verification.
    If I unblock google/recaptcha for when accessing my site using cimy, it works as expected and prevents registration if i mistype the code.

    I have not tried any other registration enhancement plug-ins on wordpress, so I don't know if the others would behave similarly.

    Installation info:
    Wordpress 2.3.1
    Cimy 2.2.0
    Role Scoper 1.3.46
    Category Icons Lite 1.0.4


  2. Marco Cimmino
    Plugin Author

    Posted 4 years ago #

    I'll take a look, thanks for the detailed bug report, much appreciated!

  3. Marco Cimmino
    Plugin Author

    Posted 4 years ago #

    Fixed in next version, you can try the development version here:

    it says v2.2.0 but has the fix already ;)

  4. Marco Cimmino
    Plugin Author

    Posted 4 years ago #

    My initial fix broke several things and wasn't secure enough. v2.3.1 contains a new fix that should work quite well.

    Let me know.

  5. icc97
    Posted 4 years ago #

    Hi Marco,

    I'm pretty sure this is still not working. The fix you added in v2.3.1 (add_action('register_post', 'cimy_registration_captcha_check', 11, 3);) relies on there being a do_action('register_post') somewhere. The only place that action exists is in your OFFICIAL_README.txt where you advise people to fix the Theme My Login plugin with adding do_action('register_post').

    I'm guessing that you have that plugin installed with that code where you test. However if you don't have that plugin with your extra code the captcha_check is never called.

    I fixed this by adding a call to cimy_registration_captcha_check into your cimy_profile_check_wrapper function.

  6. icc97
    Posted 4 years ago #

    Actaully I've just realised of course my fix creates an error when you try to update the profile.

  7. Marco Cimmino
    Plugin Author

    Posted 4 years ago #

    Please try v2.3.6 should work.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Cimy User Extra Fields
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic