Lucene search
+L

Xornic Contact Us Form CAPTCHA Bypass / XSS

🗓️ 09 Jun 2014 00:00:00Reported by Scott ArciszewskiType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 32 Views

Xornic Contact Form Weaknesse

Code
`Hi FD,  
  
So I got bored/felt nostalgia and decided I would go through the hotscripts  
website and audit the top 10 most popular PHP scripts (PHP being my most  
proficient language). Y'know, for practice or something.  
  
Unfortunately, there were a number of factors that frustrated this effort:  
* Most of the software is under a commercial license  
* There are several pages of software ranked 5.00 / 5.00 with N number of  
votes, and no apparent rhyme or reason for their sorting. (HotScripts  
really could benefit from a Bayesian rating formula e.g. S = R * v/(v+m) +  
C * m/(v + m)  
  
So I downloaded a couple of the open source ones onto a VM I didn't  
especially care for, and began looking through them.  
  
This one caught my eye, because while it was listed as free and open  
source, the author ([email protected]) went out of his way to  
obfuscate the code. (You know, eval(base64_encode()) level obfuscation.)  
  
So I manually decoded ( s/eval/print/ does wonders) and beautified the  
code, then began looking to see what "Josh" at Xornic Software was so  
intent on hiding from prying eyes.  
  
##########################  
# CONTACT US FORM - 2004-era PHP script  
# http://software.xornic.com/contact/index.html  
##########################  
  
I. WEAK IMAGE VERIFICATION  
  
When you attempt to send an email, if "image verification" is enabled, it  
will attempt to "encrypt" the expected captcha result. What it actually  
does is trim whitespace, base 64-encode it, and prepend it with a string:  
'Z4rtas' followd by the current day of the month.  
  
# contact.php  
  
if ($image_verification == "Enabled") {  
if ($_POST["image_input"] != decrypt_normal($_POST["image"]) ||  
$_POST["image"] == "") {  
/*  
die;  
*/  
}  
}  
  
# image_encoder.php  
  
function encrypt_normal($plaintext)  
{  
$plaintext = trim($plaintext);  
$plaintext = trim(chop(base64_encode($plaintext)));  
$plaintext .= "Z4rtas" . date("d");  
return $plaintext;  
}  
function decrypt_normal($ciphertext)  
{  
$ciphertext = eregi_replace("Z4rtas" . date("d"), "", $ciphertext);  
$ciphertext = trim(chop(base64_decode($ciphertext)));  
$ciphertext = trim(chop($ciphertext));  
return $ciphertext;  
}  
  
So, anyone who uses this script, you are easily spammed a bot. Lesson to be  
learned: Base64 is not encryption. Sadly, 10 years later, I still have to  
explain this to idiots on LinkedIn's PHP groups.  
  
II. CROSS-SITE SCRIPTING  
  
# contact.php  
  
$HTMLbody = '';  
$HTMLbody .= "<font face=" . $font_face_email . " size=" . $font_size_email  
. " color=" . $font_color_email . ">\n";  
$HTMLbody .= "___________SENDER'S DETAILS_________<br />\n";  
  
if ($_POST["name"] != "") {  
$HTMLbody .= "Email from " . $_POST["name"] . ",<br />\n";  
} else {  
$HTMLbody .= "Email from " . $_POST["email"] . ",<br />\n";  
}  
  
Et cetera, their setup.php script has similar issues:  
  
echo "<form action=\"" . $_SERVER["PHP_SELF"] . "\" method=post>\n";  
  
##########################  
  
All in all, it was a good way to waste half an hour (most of which I spent  
composing this email). When I tried to send the author an email, it came  
back as undeliverable.  
  
If anyone actually uses this script, you really might want to write your  
own. Or pay me to do it. ;)  
  
With love,  
Scott  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation