exploit the possibilities

Xornic Contact Us Form CAPTCHA Bypass / XSS

Xornic Contact Us Form CAPTCHA Bypass / XSS
Posted Jun 9, 2014
Authored by Scott Arciszewski

Xornic Contact Us form suffers from CAPTCHA bypass and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, bypass
MD5 | 1fc32fa7f30e12c3a346e47a01e2a0c8

Xornic Contact Us Form CAPTCHA Bypass / XSS

Change Mirror Download
Hi FD,

So I got bored/felt nostalgia and decided I would go through the hotscripts
website and audit the top 10 most popular PHP scripts (PHP being my most
proficient language). Y'know, for practice or something.

Unfortunately, there were a number of factors that frustrated this effort:
* Most of the software is under a commercial license
* There are several pages of software ranked 5.00 / 5.00 with N number of
votes, and no apparent rhyme or reason for their sorting. (HotScripts
really could benefit from a Bayesian rating formula e.g. S = R * v/(v+m) +
C * m/(v + m)

So I downloaded a couple of the open source ones onto a VM I didn't
especially care for, and began looking through them.

This one caught my eye, because while it was listed as free and open
source, the author (josh@software.xornic.com) went out of his way to
obfuscate the code. (You know, eval(base64_encode()) level obfuscation.)

So I manually decoded ( s/eval/print/ does wonders) and beautified the
code, then began looking to see what "Josh" at Xornic Software was so
intent on hiding from prying eyes.

##########################
# CONTACT US FORM - 2004-era PHP script
# http://software.xornic.com/contact/index.html
##########################

I. WEAK IMAGE VERIFICATION

When you attempt to send an email, if "image verification" is enabled, it
will attempt to "encrypt" the expected captcha result. What it actually
does is trim whitespace, base 64-encode it, and prepend it with a string:
'Z4rtas' followd by the current day of the month.

# contact.php

if ($image_verification == "Enabled") {
if ($_POST["image_input"] != decrypt_normal($_POST["image"]) ||
$_POST["image"] == "") {
/*
die;
*/
}
}

# image_encoder.php

function encrypt_normal($plaintext)
{
$plaintext = trim($plaintext);
$plaintext = trim(chop(base64_encode($plaintext)));
$plaintext .= "Z4rtas" . date("d");
return $plaintext;
}
function decrypt_normal($ciphertext)
{
$ciphertext = eregi_replace("Z4rtas" . date("d"), "", $ciphertext);
$ciphertext = trim(chop(base64_decode($ciphertext)));
$ciphertext = trim(chop($ciphertext));
return $ciphertext;
}

So, anyone who uses this script, you are easily spammed a bot. Lesson to be
learned: Base64 is not encryption. Sadly, 10 years later, I still have to
explain this to idiots on LinkedIn's PHP groups.

II. CROSS-SITE SCRIPTING

# contact.php

$HTMLbody = '';
$HTMLbody .= "<font face=" . $font_face_email . " size=" . $font_size_email
. " color=" . $font_color_email . ">\n";
$HTMLbody .= "___________SENDER'S DETAILS_________<br />\n";

if ($_POST["name"] != "") {
$HTMLbody .= "Email from " . $_POST["name"] . ",<br />\n";
} else {
$HTMLbody .= "Email from " . $_POST["email"] . ",<br />\n";
}

Et cetera, their setup.php script has similar issues:

echo "<form action=\"" . $_SERVER["PHP_SELF"] . "\" method=post>\n";

##########################

All in all, it was a good way to waste half an hour (most of which I spent
composing this email). When I tried to send the author an email, it came
back as undeliverable.

If anyone actually uses this script, you really might want to write your
own. Or pay me to do it. ;)

With love,
Scott


Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close