rucaptcha icon indicating copy to clipboard operation
rucaptcha copied to clipboard

Published 20 hours ago verified publisher icon huacnlee

vulnerability -> every next fresh session -> same initial captcha

Open PapevisO opened this issue 4 years ago • 3 comments

Hello @huacnlee. I noticed a bug that was produced with the following version:

rucaptcha (2.5.3)
  railties (>= 3.2)

After I've integrated rucaptcha for login form, every next visit with fresh browser history/cache the first generated captcha keeps being the same.

After researching the forks of your gem, I noticed that this bug is not reproduced with the following version:

GIT
  remote: https://github.com/insales/rucaptcha.git
  revision: 3fe084ee93b552393c961ec90cf08b10985048c5
  specs:
    rucaptcha (2.1.3)
      railties (>= 3.2)

Please consider pulling changes and let me know if you need assistance. The mentioned fork's master branch is

insales:master branch is 19 commits ahead, 38 commits behind huacnlee:master. I can fork insales:master to rebase it on your huacnlee:master branch to create a pull request in case you are willing to merge but too busy to do this.

Please also let me know if the mentioned vulnerability is a result of gem misuse/misconfiguration.

PapevisO avatar Nov 13 '20 11:11 PapevisO

You may not configure the Cache Store for RuCaptcha

See the document on the README file.

https://github.com/huacnlee/rucaptcha#usage

huacnlee avatar Nov 13 '20 11:11 huacnlee

I don't think this is the case because, cache store was configured eventhough different from the origin. Origin:

  self.cache_store = :mem_cache_store

Actual

  self.cache_store = :redis_store, "#{ENV.fetch('REDIS_WORKER_URL')}/cache"

PapevisO avatar Nov 13 '20 13:11 PapevisO

Surprisingly I can no longer reproduce the issue neither on prod/stage/local environments. It simply stopped recurring with no dev/devops activity.

PapevisO avatar Nov 19 '20 14:11 PapevisO