Description

Easy!Appointments is a highly customizable web application that offers scheduling management for businesses.

Threat

An attacker can run automated attacks against CAPTCHA protected form.

Expectation

The CAPTCHA should be invalidated after first use. The application should not send the value of a decoded CAPTCHA when the submitted one is invalid.

Note that in Easy!Appointments 1.2.1 the "Require CAPTCHA" option adds a CAPTCHA only on "Confirm Appointment" form. For more security, it is recommended to protect every form of the unauthenticated section.

Vulnerability type

CVE ID: CVE-2018-13060

Access Vector: network

Security Risk: medium

Vulnerability: CWE-804

CVSS Base Score: 6.5

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Details

When the "Require CAPTCHA" option is activated, visitors are required to validate the CAPTCHA when submitting the "Confirm Appointment" form.

If a wrong CAPTCHA is submitted, the application send its decoded value while not invalidating it. Therefore, an attacker can abuse this behaviour to bypass the CAPTCHA.

Proof of Concept: CAPTCHA bypass

The steps consist in collecting and reusing a decoded CAPTCHA:

1/ When submitting the "Confirm Appointment" form, submit a wrong CAPTCHA.

2/ Collect the valid CAPTCHA in the response body answered by the Easy!Appointment server. For example :

{"captcha_verification":false,"expected_phrase":"zyvjj"}

3/ Resend the form with the retrieved CAPTCHA.

4/ As long as you do not request index.php/captcha, the CAPTCHA is not updated.

Affected versions

Versions 1.3.0 and prior to 1.2.1 - other versions have not been tested.

Solution

Update to a version superior to 1.3.2.

Timeline (dd/mm/yyyy)

  • 06/03/2018 : Initial discovery
  • 17/04/2018 : Vendor contact
  • 17/05/2018 : Vendor technical team acknowledgment
  • 15/08/2018 : Vendor submits a private 2.2.16.128 pre-release that, according to our test, did not mitigate the issue.
  • 25/10/2019 : Public disclosure

Credits

  • Valentin CHATELAIN, Sysdream (v.chatelain -at- sysdream -dot- com)
  • Pierrick VERAN, Sysdream (p.veran -at- sysdream -dot- com)