Ask Questions and Find Answers

Hi,
I'm facing which security issue in Liferay default CAPTCHA.
Steps to reproduce error below :
As a Guest (not logged in user) I go to the site: http://localhost:8080/web/guest/home. I click Sign In -> Create Account. I fill in the fields with data in such a way that after I click Save button the page will be reloaded and I get validation messager (e.g. if enter Screen name that already exist In database or I enter incorrect Text Verification). As a password I enter: test1. I click the Save button. After reloading the page I go to site source code. I'm looking for a previous entered password (phrase "test1"). I was able to find this phrase in 2 places. Code snippets below.
Code snippet 1:

<div class="taglib-captcha">
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;<img alt="Text to Identify" class="captcha" id="_com_liferay_login_web_portlet_LoginPortlet_captcha" src="http://localhost:8080/web/guest/home?p_p_id=com_liferay_login_web_portlet_LoginPortlet&amp;p_p_lifecycle=2&amp;p_p_state=maximized&amp;p_p_mode=view&amp;p_p_resource_id=%2Flogin%2Fcaptcha&amp;p_p_cacheability=cacheLevelPage&amp;p_p_lifecycle=1&amp;_com_liferay_login_web_portlet_LoginPortlet_redirect=&amp;_com_liferay_login_web_portlet_LoginPortlet_birthday=01%2F01%2F1970&amp;_com_liferay_login_web_portlet_LoginPortlet_lastName=test&amp;_com_liferay_login_web_portlet_LoginPortlet_javax.portlet.action=%2Flogin%2Fcreate_account&amp;_com_liferay_login_web_portlet_LoginPortlet_formDate=1563352565441&amp;_com_liferay_login_web_portlet_LoginPortlet_openId=&amp;_com_liferay_login_web_portlet_LoginPortlet_suffixValue=&amp;_com_liferay_login_web_portlet_LoginPortlet_languageId=en_US&amp;_com_liferay_login_web_portlet_LoginPortlet_prefixValue=&amp;_com_liferay_login_web_portlet_LoginPortlet_screenName=test&amp;_com_liferay_login_web_portlet_LoginPortlet_birthdayMonth=0&amp;_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName=%2Flogin%2Fcreate_account&amp;_com_liferay_login_web_portlet_LoginPortlet_firstName=test&amp;_com_liferay_login_web_portlet_LoginPortlet_emailAddress=test%40test.com&amp;_com_liferay_login_web_portlet_LoginPortlet_birthdayDay=1&amp;_com_liferay_login_web_portlet_LoginPortlet_middleName=&amp;_com_liferay_login_web_portlet_LoginPortlet_[b]password2=test1[/b]&amp;_com_liferay_login_web_portlet_LoginPortlet_captchaText=22222222222&amp;_com_liferay_login_web_portlet_LoginPortlet_cmd=add&amp;_com_liferay_login_web_portlet_LoginPortlet_[b]password1=test1[/b]&amp;_com_liferay_login_web_portlet_LoginPortlet_birthdayYear=1970&amp;t=1563352591357">
&nbsp;&nbsp; &nbsp;</div>

Code snippet 2:

var refreshCaptcha = document.getElementById('_com_liferay_login_web_portlet_LoginPortlet_refreshCaptcha');
        if (refreshCaptcha) {
            refreshCaptcha.addEventListener(
                'click',
                function() {
                    var url = Liferay.Util.addParams('t=' + Date.now(), 'http\x3a\x2f\x2flocalhost\x3a8080\x2fweb\x2fguest\x2fhome\x3fp_p_id\x3dcom_liferay_login_web_portlet_LoginPortlet\x26p_p_lifecycle\x3d2\x26p_p_state\x3dmaximized\x26p_p_mode\x3dview\x26p_p_resource_id\x3d\x252Flogin\x252Fcaptcha\x26p_p_cacheability\x3dcacheLevelPage\x26p_p_lifecycle\x3d1\x26_com_liferay_login_web_portlet_LoginPortlet_redirect\x3d\x26_com_liferay_login_web_portlet_LoginPortlet_birthday\x3d01\x252F01\x252F1970\x26_com_liferay_login_web_portlet_LoginPortlet_lastName\x3dtest\x26_com_liferay_login_web_portlet_LoginPortlet_javax\x2eportlet\x2eaction\x3d\x252Flogin\x252Fcreate_account\x26_com_liferay_login_web_portlet_LoginPortlet_formDate\x3d1563352565441\x26_com_liferay_login_web_portlet_LoginPortlet_openId\x3d\x26_com_liferay_login_web_portlet_LoginPortlet_suffixValue\x3d\x26_com_liferay_login_web_portlet_LoginPortlet_languageId\x3den_US\x26_com_liferay_login_web_portlet_LoginPortlet_prefixValue\x3d\x26_com_liferay_login_web_portlet_LoginPortlet_screenName\x3dtest\x26_com_liferay_login_web_portlet_LoginPortlet_birthdayMonth\x3d0\x26_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName\x3d\x252Flogin\x252Fcreate_account\x26_com_liferay_login_web_portlet_LoginPortlet_firstName\x3dtest\x26_com_liferay_login_web_portlet_LoginPortlet_emailAddress\x3dtest\x2540test\x2ecom\x26_com_liferay_login_web_portlet_LoginPortlet_birthdayDay\x3d1\x26_com_liferay_login_web_portlet_LoginPortlet_middleName\x3d\x26_com_liferay_login_web_portlet_LoginPortlet_[b]password2\x3dtest1[/b]\x26_com_liferay_login_web_portlet_LoginPortlet_captchaText\x3d22222222222\x26_com_liferay_login_web_portlet_LoginPortlet_cmd\x3dadd\x26_com_liferay_login_web_portlet_LoginPortlet_[b]password1\x3dtest1[/b]\x26_com_liferay_login_web_portlet_LoginPortlet_birthdayYear\x3d1970');
 var captcha = document.getElementById('_com_liferay_login_web_portlet_LoginPortlet_captcha');
​​​​​​​if (captcha) {
                        captcha.setAttribute('src', url);
                    }
                }
            );
        }

I was able to reproduce this error on LF 7.1 GA3 CE and LF 7.2 GA1 CE. I work on default LF create account portret (not modified). CAPTCHA settings in Control Panel is set to default.
Additional observations:

• error not occurs if I turn off CAPTCHA (go to Control Panel –> System Settings –> Security Tools in SECURITY section–> uncheck checkbox ‘Create Account CAPTCHA Enabled’)
• it’s not relevant if I enter correct or incorrect Text Verification
• error not occurs if I change CAPTCHA Engine to reCAPTCHA

I suppose the problem occurs in Liferay implementation of CAPTCHA (SimpleCaptcha).
Is there any way to deal with this error without changing CAPTCHA engine or disabling CAPTCHA?