Xornic Contact Us Form - Captcha Bypass / XSS

[Scott Arciszewski <scott () arciszewski me>]

Hi FD,

So I got bored/felt nostalgia and decided I would go through the hotscripts
website and audit the top 10 most popular PHP scripts (PHP being my most
proficient language). Y'know, for practice or something.

Unfortunately, there were a number of factors that frustrated this effort:
* Most of the software is under a commercial license
* There are several pages of software ranked 5.00 / 5.00 with N number of
votes, and no apparent rhyme or reason for their sorting. (HotScripts
really could benefit from a Bayesian rating formula e.g. S = R * v/(v+m) +
C * m/(v + m)

So I downloaded a couple of the open source ones onto a VM I didn't
especially care for, and began looking through them.

This one caught my eye, because while it was listed as free and open
source, the author (josh () software xornic com) went out of his way to
obfuscate the code. (You know, eval(base64_encode()) level obfuscation.)

So I manually decoded ( s/eval/print/ does wonders) and beautified the
code, then began looking to see what "Josh" at Xornic Software was so
intent on hiding from prying eyes.

##########################
# CONTACT US FORM - 2004-era PHP script
# http://software.xornic.com/contact/index.html
##########################

I. WEAK IMAGE VERIFICATION

When you attempt to send an email, if "image verification" is enabled, it
will attempt to "encrypt" the expected captcha result. What it actually
does is trim whitespace, base 64-encode it, and prepend it with a string:
'Z4rtas' followd by the current day of the month.

# contact.php

if ($image_verification == "Enabled") {
    if ($_POST["image_input"] != decrypt_normal($_POST["image"]) ||
$_POST["image"] == "") {
        /*
        die;
        */
    }
}

# image_encoder.php

function encrypt_normal($plaintext)
{
    $plaintext = trim($plaintext);
    $plaintext = trim(chop(base64_encode($plaintext)));
    $plaintext .= "Z4rtas" . date("d");
    return $plaintext;
}
function decrypt_normal($ciphertext)
{
    $ciphertext = eregi_replace("Z4rtas" . date("d"), "", $ciphertext);
    $ciphertext = trim(chop(base64_decode($ciphertext)));
    $ciphertext = trim(chop($ciphertext));
    return $ciphertext;
}

So, anyone who uses this script, you are easily spammed a bot. Lesson to be
learned: Base64 is not encryption. Sadly, 10 years later, I still have to
explain this to idiots on LinkedIn's PHP groups.

II. CROSS-SITE SCRIPTING

# contact.php

$HTMLbody = '';
$HTMLbody .= "<font face=" . $font_face_email . " size=" . $font_size_email
. " color=" . $font_color_email . ">\n";
$HTMLbody .= "___________SENDER'S DETAILS_________<br />\n";

if ($_POST["name"] != "") {
    $HTMLbody .= "Email from " . $_POST["name"] . ",<br />\n";
} else {
    $HTMLbody .= "Email from " . $_POST["email"] . ",<br />\n";
}

Et cetera, their setup.php script has similar issues:

echo "<form action=\"" . $_SERVER["PHP_SELF"] . "\" method=post>\n";

##########################

All in all, it was a good way to waste half an hour (most of which I spent
composing this email). When I tried to send the author an email, it came
back as undeliverable.

If anyone actually uses this script, you really might want to write your
own. Or pay me to do it. ;)

With love,
Scott

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/