Summary: iDS6 Software's DSSPro network digital signage management
system is a web-based server software solution for Windows.
Desc: The CAPTCHA function for DSSPro is prone to a security bypass
vulnerability that occurs in the CAPTCHA authentication routine. By
requesting the autoLoginVerifyCode object an attacker can receive a
JSON message code and successfully bypass the CAPTCHA-based authentication
challenge and perform brute-force attacks.
Tested on: Microsoft Windows XP
Microsoft Windows 7
Microsfot Windows Server 2008
Microsoft Windows Server 2012
Microsoft Windows 10
Apache Tomcat/8.0.44
Apache Tomcat/6.0.35
Apache-Coyote/1.1
Apache Axis/1.4
MySQL 5.5.25
Java 1.8.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience