what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Xornic Contact Us Form CAPTCHA Bypass / XSS

Xornic Contact Us Form CAPTCHA Bypass / XSS
Posted Jun 9, 2014
Authored by Scott Arciszewski

Xornic Contact Us form suffers from CAPTCHA bypass and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, bypass
SHA-256 | f7f6f5c25b99917ad641595ded915f613025726e7ddbd6dc32534152425bf990

Xornic Contact Us Form CAPTCHA Bypass / XSS

Change Mirror Download
Hi FD,

So I got bored/felt nostalgia and decided I would go through the hotscripts
website and audit the top 10 most popular PHP scripts (PHP being my most
proficient language). Y'know, for practice or something.

Unfortunately, there were a number of factors that frustrated this effort:
* Most of the software is under a commercial license
* There are several pages of software ranked 5.00 / 5.00 with N number of
votes, and no apparent rhyme or reason for their sorting. (HotScripts
really could benefit from a Bayesian rating formula e.g. S = R * v/(v+m) +
C * m/(v + m)

So I downloaded a couple of the open source ones onto a VM I didn't
especially care for, and began looking through them.

This one caught my eye, because while it was listed as free and open
source, the author (josh@software.xornic.com) went out of his way to
obfuscate the code. (You know, eval(base64_encode()) level obfuscation.)

So I manually decoded ( s/eval/print/ does wonders) and beautified the
code, then began looking to see what "Josh" at Xornic Software was so
intent on hiding from prying eyes.

##########################
# CONTACT US FORM - 2004-era PHP script
# http://software.xornic.com/contact/index.html
##########################

I. WEAK IMAGE VERIFICATION

When you attempt to send an email, if "image verification" is enabled, it
will attempt to "encrypt" the expected captcha result. What it actually
does is trim whitespace, base 64-encode it, and prepend it with a string:
'Z4rtas' followd by the current day of the month.

# contact.php

if ($image_verification == "Enabled") {
if ($_POST["image_input"] != decrypt_normal($_POST["image"]) ||
$_POST["image"] == "") {
/*
die;
*/
}
}

# image_encoder.php

function encrypt_normal($plaintext)
{
$plaintext = trim($plaintext);
$plaintext = trim(chop(base64_encode($plaintext)));
$plaintext .= "Z4rtas" . date("d");
return $plaintext;
}
function decrypt_normal($ciphertext)
{
$ciphertext = eregi_replace("Z4rtas" . date("d"), "", $ciphertext);
$ciphertext = trim(chop(base64_decode($ciphertext)));
$ciphertext = trim(chop($ciphertext));
return $ciphertext;
}

So, anyone who uses this script, you are easily spammed a bot. Lesson to be
learned: Base64 is not encryption. Sadly, 10 years later, I still have to
explain this to idiots on LinkedIn's PHP groups.

II. CROSS-SITE SCRIPTING

# contact.php

$HTMLbody = '';
$HTMLbody .= "<font face=" . $font_face_email . " size=" . $font_size_email
. " color=" . $font_color_email . ">\n";
$HTMLbody .= "___________SENDER'S DETAILS_________<br />\n";

if ($_POST["name"] != "") {
$HTMLbody .= "Email from " . $_POST["name"] . ",<br />\n";
} else {
$HTMLbody .= "Email from " . $_POST["email"] . ",<br />\n";
}

Et cetera, their setup.php script has similar issues:

echo "<form action=\"" . $_SERVER["PHP_SELF"] . "\" method=post>\n";

##########################

All in all, it was a good way to waste half an hour (most of which I spent
composing this email). When I tried to send the author an email, it came
back as undeliverable.

If anyone actually uses this script, you really might want to write your
own. Or pay me to do it. ;)

With love,
Scott


Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close