| शीर्षक | Odyssey CMS 10.35 Use of Hard-coded, Security-relevant Constants |
|---|
| विवरण | [Hardcoded reCAPTCHA secret key] found in Odyssey CMS 10.35 - (odyssey_contact_form.php)
Affected Project: **Odyssey CMS 10.35**
Exploit Author: Dimitris Chatzidimitris
Platform: Web/Php
Vendor: Odyssey
Official Application Link: (https://odyssey.webpage.gr/new/)
Version: 10.35
## Description:
The application embeds a hardcoded reCAPTCHA secret key `(6LesLCATAAAAADWqbi8Uro_z_OLzekDuxdAkdzX4)` within the source code file `modules/odyssey_contact_form/odyssey_contact_form.php`.
## Root cause:
Vulnerability found at: **odyssey_contact_form.php**
Path: modules/odyssey_contact_form/odyssey_contact_form.php
## Vulnerability Analysis:
Because the secret key is exposed, the attacker can bypass the reCAPTCHA validation by forging requests or using the key to validate their own malicious requests.
The code checks if the g-recaptcha-response is present and validates it with Google's API, but it does not verify the hostname or action returned by Google's API.
## Impact:
Reuse CAPTCHA response: This could allow an attacker to reuse a valid CAPTCHA response from another site or form.
Impersonate the Application: Use the key to generate valid reCAPTCHA responses for their own malicious site or service, potentially exhausting the legitimate site’s reCAPTCHA quota or incurring costs if tied to a paid tier.
Exploit Weak Form Handling: The CAPTCHA is the only defense against automated submissions and when the attacker bypasses it, they could exploit the form’s purpose (e.g., account creation, password reset, or data submission) to perform actions like:
1) Creating fake accounts.
2) Triggering denial-of-service (DoS) by overwhelming the server with requests.
## Vulnerable code POC:
if ($useCaptcha == "2") { // Google reCaptcha
if (isset($_POST['g-recaptcha-response'])) $captcha = $_POST['g-recaptcha-response'];
if (!$captcha) {
$messages->addError(t("Πρέπει να αποδείξετε πως δεν είστε ρομπότ"));
} else {
$secretKey = "6LesLCATAAAAADWqbi8Uro_z_OLzekDuxdAkdzX4";
$ip = $_SERVER['REMOTE_ADDR'];
$response = file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=" . $secretKey . "&response=" . $captcha . "&remoteip=" . $ip);
$responseKeys = json_decode($response, true);
$hostname = str_replace("www.", NULL, $responseKeys["hostname"]);
$domainValidated = (strpos($domain_name, $hostname) !== false);
if (!$domainValidated || intval($responseKeys["success"]) !== 1) {
$messages->addError(t("Πρέπει να αποδείξετε πως δεν είστε ρομπότ"));
}
}
}
## Summary of Recommendations:
1) Move the reCAPTCHA secret key to a secure location (e.g., environment variable).
2) Validate the hostname and action fields in the Google API response.
3) Implement rate limiting to prevent brute-force attacks.
4) Add CSRF protection to prevent cross-site request forgery.
5) Sanitize and validate all user input to prevent injection attacks.
6) Enforce HTTPS for all reCAPTCHA API requests.
7) Upgrade to reCAPTCHA v3 for better security.
> One Click Can Change Everything: Be Secure.
|
|---|
| स्रोत | ⚠️ https://github.com/secuserx/CVE/blob/main/%5BHardcoded%20reCAPTCHA%20secret%20key%5D%20found%20in%20Odyssey%20CMS%2010.35%20-%20(odyssey_contact_form.php).md |
|---|
| उपयोगकर्ता | secuserx (UID 76735) |
|---|
| सबमिशन | 02/03/2025 02:05 PM (1 वर्ष पहले) |
|---|
| संयम | 11/03/2025 04:18 PM (9 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 299292 [Odyssey CMS तक 10.34 reCAPTCHA odyssey_contact_form.php g-recaptcha-response सूचना का प्रकटीकरण] |
|---|
| अंक | 20 |
|---|