where: anti-spam-registration code and
guestbook 3.6

what: users / scripts can count back the antispam code and can enter the right security code

exploit: right click on a security image you should see --> e.g. http://aspire/register.asp?code=image&rc=12343321851&p=1

- we now need the number red marked
- and the count variable (in the antispam code)
RandCode = (strRCCode + 17456) / 50000

==> now count:
12343321851 + 17456 / 50000 = you get the image code
bugfix: to prevent this change the numbers to some other e.g.
from -> RandomizedCode = NumbersToShow * 50000 - 17456 to => RandomizedCode = NumbersToShow * 47900 - 15249
and:

from -> RandCode = (strRCCode + 17456) / 50000 to => RandCode = (strRCCode + 15249) / 47900
don't use the numbers here it is just a sample use other numbers... i don't know a page where it was happen but the way is there... so it is better to change everything to make it heavy to hack something <

Actually if you submit this URL with register.asp?code=image&rc=12343321851&p=1, it will redirect to the first digit image which is usually in the form of n.gif. The file name actually gives away the digit in the code. Increasing the number for p will eventually get you all the digits, ireegardless of what formula you used. There should be a way to prevent register.asp from showing the digits if the page was not called from a form submit.
cheers,
Nat<