Securimage 3.6.4 Released

4 Comments Written on March 3rd, 2016 by
Categories: Uncategorized
Tags:

Securimage 3.6.4 has been released to address an XSS vulnerability in example_form.ajax.php (an example included with Securimage) which could allow an attacker to inject arbitrary Javascript code via a crafted URL. Users directed to the malicious URL could have cookies or other sensitive information exposed, or have more dangerous Javascript code executed. Thanks to RedTeam for discovering the flaw.

It is recommended to update to 3.6.4 as soon as possible, or delete example_form.ajax.php from your Securimage directory.

Additionally, version 3.6.3 adds support for the following:

  • Add support for multibyte wordlist files
  • Fix code generation issues with UTF-8 charsets
  • Add parameter to getCaptchaHtml() to render components of captcha HTML individually for easier customization
  • Fix database audio storage issue with multiple namespaces

Tags:

4 comments “Securimage 3.6.4 Released”

Well good but this thing not to be able to have more than one form in the same page otherwise the
refresh image ‘ works only in the first form and in the others no, fix this , its really serious

This is because you need to change the code so each captcha has a unique DOM ID otherwise it will refresh the wrong one. For one example, see https://github.com/dapphp/securimage/blob/master/examples/multiple_captchas_single_page.php

This has been supported for a long time but was not well documented. I created a demo script as part of the Git repository which you can find here. Thanks and let me know if you have any questions.

nice work


Leave a Reply


CAPTCHA Image
Play CAPTCHA Audio
Reload Image