your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha.
It can be easily decoded with any OCR for example
https://code.google.com/p/tesseract-ocr/downloads/list
use tesseract-ocr-setup-3.02.02.exe
after installing this just run command
tesseract captcha.png decoded.txt -l eng
example:
It will be accurate 95% of times.
It is possible for an attacker to code some automated tool to launch bruteforce attacks,
create 1000's of new users, create lot of supprot tickets etc.
thanks
How will the attacker create 1000's of new users ? It seems email authentication is required to create each user.
Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha.
I already mentioned about using OCR Tesseract in my list and @OP didn't seem to care. You're 100% correct saying that it's possible to create thousands of accounts though. I could create a POC right now and make 100k+ accounts. Email verification / authentication is easily bypassable. I can just set up a mail server, buy a basic domain and just iterate through random email addresses on that domain and fetch the verification codes and verify them. This is an extremely simple process and I could clog up the server with thousands of users.
In addition to this, there are more vulnerabilities that have been unpatched.
1. Post variable country on
http://www.100bit.co.in/trade.php is SQL injectable.
2. Post variable trade on
http://www.100bit.co.in/trade.php is SQL injectable.
3.
http://www.100bit.co.in/support.php?mode=change_ststus&status=1&ticket_id=[ticketid] allows you to close or open any ticket regardless if you own it or not. This also has no CSRF or captcha protection on it.
4.
http://www.100bit.co.in/order.php?mode=del_interest&id=[interestid] seems like you can delete other peoples interests as well.
I could probably find even more, but seeing as the owner didn't want to pay me out for the others I found even though they were totally unique to the previous founds, I'm not going to waste anymore time on it. 100bitcoin, when you feel like actually paying out, then I may consider taking another look at it.
