Checkmarx Named a Leader in Gartner Magic Quadrant for Application Security Testing

HTML injection in Securimage

General Information

Affected Software: Securimage
Affected Versions: < 3.6.5
Vendor: Securimage
Vendor Page: https://www.phpcaptcha.org/
Vulnerability: HTML injection
Severity: Medium
CVE ID: CVE-2017-14077

Short Description

HTML injection in Securimage 3.6.4 and earlier allows remote attackers to inject arbitrary HTML code via the $_SERVER[‘HTTP_USER_AGENT’] parameter to example_form.ajax.php or example_form.php.

Fix

No fix released as of writing this advisory

Details

Using CxSAST, we scanned and found an HTML Injection in the files:
/example_form.ajax.php and
/example_form.php

That contains the following code:
securimage_code
As we can see $_SERVER['HTTP_USER_AGENT'] is not properly sanitized and it’s vulnerable to HTML Injection which is reflected on the victim’s email.

Disclosure Timeline

22-Mar-2016 – Reported to Securimage developer
31-Mar-2016 – Developer confirmed the vulnerability and said a fix will be issued in the future
17-Nov-2017 – Contacted developer to let him know the vulnerability is going to be published although no fix is out

Related Links

Vulnerability on mitre.org
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14077
Vulnerability on NVD
https://nvd.nist.gov/vuln/detail/CVE-2017-14077