← Advisories

Securimage 3.5 URI-based Cross-Site Scripting Vulnerability

Medium
Advisory ID
ZSL-2013-5139
Release Date
10 May 2013
Vendor
Securimage PHP CAPTCHA - http://www.phpcaptcha.org
Affected Version
3.5
CVE
N/A
Tested On
Apache, PHP 5.3.6
Summary

Securimage is an open-source free PHP CAPTCHA script for generating complex images and CAPTCHA codes to protect forms from spam and abuse.

Description

Securimage suffers from a XSS issue in 'example_form.php' that uses the 'REQUEST_URI' variable. The vulnerability is present because there isn't any filtering to the mentioned variable in the affected script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

/example_form.php: ------------------------- 47: <form method="post" action="<?php echo $_SERVER['REQUEST_URI'] . $_SERVER['QUERY_STRING'] ?>" id="contact_form">
Proof of Concept
securimage_xss.txtTXT
Disclosure Timeline
21.04.2013Vulnerability discovered.
23.04.2013Contact with the vendor.
23.04.2013Vendor replies asking more details.
23.04.2013Sent detailed information to the vendor.
24.04.2013Working with the vendor.
30.04.2013Asked vendor for status update.
09.05.2013No reply from the vendor.
10.05.2013Public security advisory released.
15.02.2014Vendor releases version 3.5.1 to address this issue.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://packetstormsecurity.com/files/121575
[2]http://cxsecurity.com/issue/WLB-2013050082
[3]http://www.securityfocus.com/bid/59796
[4]http://xforce.iss.net/xforce/xfdb/84157
[5]http://osvdb.org/show/osvdb/93439
[6]http://phpcaptcha.org/Securimage_Docs/files/securimage.php.html#source-view
[7]https://github.com/dapphp/securimage/blob/master/securimage.php
Changelog
10.05.2013Initial release
11.05.2013Added reference [1], [2] and [3]
14.05.2013Added reference [4]
17.05.2013Added reference [5]
08.03.2015Added vendor status and reference [6]
26.08.2016Added reference [7]