Hi FD, So I got bored/felt nostalgia and decided I would go through the hotscripts website and audit the top 10 most popular PHP scripts (PHP being my most proficient language). Y'know, for practice or something. Unfortunately, there were a number of factors that frustrated this effort: * Most of the software is under a commercial license * There are several pages of software ranked 5.00 / 5.00 with N number of votes, and no apparent rhyme or reason for their sorting. (HotScripts really could benefit from a Bayesian rating formula e.g. S = R * v/(v+m) + C * m/(v + m) So I downloaded a couple of the open source ones onto a VM I didn't especially care for, and began looking through them. This one caught my eye, because while it was listed as free and open source, the author (josh@software.xornic.com) went out of his way to obfuscate the code. (You know, eval(base64_encode()) level obfuscation.) So I manually decoded ( s/eval/print/ does wonders) and beautified the code, then began looking to see what "Josh" at Xornic Software was so intent on hiding from prying eyes. ########################## # CONTACT US FORM - 2004-era PHP script # http://software.xornic.com/contact/index.html ########################## I. WEAK IMAGE VERIFICATION When you attempt to send an email, if "image verification" is enabled, it will attempt to "encrypt" the expected captcha result. What it actually does is trim whitespace, base 64-encode it, and prepend it with a string: 'Z4rtas' followd by the current day of the month. # contact.php if ($image_verification == "Enabled") { if ($_POST["image_input"] != decrypt_normal($_POST["image"]) || $_POST["image"] == "") { /* die; */ } } # image_encoder.php function encrypt_normal($plaintext) { $plaintext = trim($plaintext); $plaintext = trim(chop(base64_encode($plaintext))); $plaintext .= "Z4rtas" . date("d"); return $plaintext; } function decrypt_normal($ciphertext) { $ciphertext = eregi_replace("Z4rtas" . date("d"), "", $ciphertext); $ciphertext = trim(chop(base64_decode($ciphertext))); $ciphertext = trim(chop($ciphertext)); return $ciphertext; } So, anyone who uses this script, you are easily spammed a bot. Lesson to be learned: Base64 is not encryption. Sadly, 10 years later, I still have to explain this to idiots on LinkedIn's PHP groups. II. CROSS-SITE SCRIPTING # contact.php $HTMLbody = ''; $HTMLbody .= "<font face=" . $font_face_email . " size=" . $font_size_email . " color=" . $font_color_email . ">\n"; $HTMLbody .= "___________SENDER'S DETAILS_________<br />\n"; if ($_POST["name"] != "") { $HTMLbody .= "Email from " . $_POST["name"] . ",<br />\n"; } else { $HTMLbody .= "Email from " . $_POST["email"] . ",<br />\n"; } Et cetera, their setup.php script has similar issues: echo "<form action=\"" . $_SERVER["PHP_SELF"] . "\" method=post>\n"; ########################## All in all, it was a good way to waste half an hour (most of which I spent composing this email). When I tried to send the author an email, it came back as undeliverable. If anyone actually uses this script, you really might want to write your own. Or pay me to do it. ;) With love, Scott