Captcha Brute-force Vulnerability in Litemall (≤ v1.8.0) #563
Description
Captcha Brute-force Vulnerability in Litemall (≤ v1.8.0)
Summary
A captcha brute-force vulnerability exists in Litemall versions ≤ 1.8.0 due to the use of an insecure third-party component for captcha generation. Specifically, the application relies on the following dependency:
<dependency>
<groupId>com.github.penggle</groupId>
<artifactId>kaptcha</artifactId>
<version>2.3.2</version>
</dependency>This version of the Kaptcha library is historically affected by CVE-2018-18531, where the captcha generation uses java.util.Random instead of the cryptographically secure java.security.SecureRandom. This weakness allows attackers to predict captcha values, making brute-force attacks significantly easier.
Details
Because the captcha is generated with a predictable pseudo-random number generator, attackers can deduce the captcha sequence with a high probability of success. When combined with automated request attempts, this weakness allows attackers to bypass the captcha mechanism entirely. Consequently, attackers can perform high-frequency brute-force attacks against sensitive targets, such as administrator login credentials, without being effectively blocked by captcha protection.
Impact
Attackers exploiting this vulnerability can:
-
Bypass captcha protections intended to limit login attempts
-
Launch brute-force password attacks on privileged administrator accounts
-
Increase the likelihood of unauthorized system access and potential full application compromise
Root Cause
The root cause of the vulnerability lies in the usage of an outdated and insecure captcha generation library (kaptcha 2.3.2) that utilizes non-cryptographically secure random number generation (Random) rather than a secure method (SecureRandom). This predictable randomization allows precomputation or real-time prediction of captcha codes.