Magento formId is mandatory on captcha refresh

Written by Peter Davies on 17 April 2013.

On a client site we kept getting the following message where it appeared a client could somehow directly access the captcha URL without posting any *required* data:

URL: http://www.domain.com/captcha/refresh/
IP Address: 123.123.123.13
Time: 2013-04-17 08:19:56 GMT
Error:
formId is mandatory

A quick edit of /app/code/core/Mage/Captcha/controllers/RefreshController.php just after line 44 and adding a check on the posted value "formId" as such should prevent the error:

if (empty($formId)) return false;

Now any direct query to the /captcha/refresh/ will not generate an error e-mail.

< Prev Next >