[29429] in bugtraq
ProtWare "HTML Guardian" has pathetic "encryption"
daemon@ATHENA.MIT.EDU (rain_song@hushmail.com)
Fri Mar 21 18:56:03 2003
Message-Id: <200303200928.h2K9S6iP093621@mailserver2.hushmail.com>
Date: Thu, 20 Mar 2003 01:28:06 -0800
To: bugtraq@securityfocus.com
From: <rain_song@hushmail.com>
MIME-Version: 1.0
Content-type: multipart/mixed; boundary="Hush_boundary-3e7989a627c62"
--Hush_boundary-3e7989a627c62
Content-type: text/plain
For $40 or $70, ProtWare's "HTML Guardian" (http://www.protware.com)
claims to "encrypt html code and javascripts, [making] it impossible
to reuse them." Unfortunately, "HTML Guardian" does not do anything
more than to obfuscate the HTML source code. There is no encryption.
In fact, the JavaScript that "encrypts" that data is included in the
HTML code at the end (just translate the HTML hex to HTML ascii).
Basically how it works is this:
original = abcdefgh
encrypted = acegbdfh
They simply take every other letter, smash them together, then append
the leftovers all into one string. $70 encryption, woohoo!!
Attached is a Perl script that re-assembles their "encrypted" code.
The script takes a file as input, and in that file is a modified version
of the HTML source code. In this file, just have the big JavaScript
variable included from the HTML source code (minus the single quote characters).
An example of this "encrypted" HTML can be retrieved from ProtWare's
demo page at http://www.protware.com/e_demo.htm.
--Hush_boundary-3e7989a627c62
Content-type: application/octet-stream; name="protpop.pl"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="protpop.pl"
IyEvdXNyL2Jpbi9wZXJsDQojDQojIFdyaXR0ZW4gYnkgcmFpbl9zb25nDQojDQojIGlucHV0IGZp
bGUgc2hvdWxkIG9ubHkgY29udGFpbiB0aGUgbWFpbiAiZW5jcnlwdGVkIiBzdHJpbmcsIHdoaWNo
IGlzIHRoZSAybmQNCiMgamF2YXNjcmlwdCB2YXJpYWJsZSBpbiB0aGUgSFRNTCBzb3VyY2UgY29k
ZS4NCiMNCg0KaWYoICQjQVJHViAhPSAwICkNCnsNCglwcmludCAiXG5Xcml0dGVuIGJ5IHJhaW5f
c29uZyI7DQoJcHJpbnQgIlxuVXNhZ2U6ICQwIGlucHV0X2ZpbGVcbiI7DQoJcHJpbnQgIlx0aW5w
dXRfZmlsZSBzaG91bGQgb25seSBjb250YWluIDJuZCBKUyB2YXJpYWJsZSBvZiBIVE1MIHBhZ2Ug
KGl0XG4iOw0KCXByaW50ICJcdCAgaXMgdGhlIGJpZ2dlc3QgdmFyaWFibGUpXG5cbiI7DQoJZXhp
dCggMCApOw0KfQ0KDQpvcGVuKCBJTlBVVCwgIjwkQVJHVlswXSIgKSBvciBkaWU7DQoNCiRlbmNy
eXB0ZWQgPSA8SU5QVVQ+Ow0KY2xvc2UoIElOUFVUICk7DQokbGVuZ3RoID0gbGVuZ3RoKCRlbmNy
eXB0ZWQpOw0KDQokc3RyaW5nMSA9IHN1YnN0ciggJGVuY3J5cHRlZCwgMCwgJGxlbmd0aC8yICk7
DQokc3RyaW5nMiA9IHN1YnN0ciggJGVuY3J5cHRlZCwgJGxlbmd0aC8yLCAkbGVuZ3RoLTEgKTsN
Cg0KJGkgPSAwOw0Kd2hpbGUoICRpIDwgbGVuZ3RoKCRzdHJpbmcxKSApDQp7DQoJJGRlY3J5cHRl
ZCAuPSBzdWJzdHIoICRzdHJpbmcxLCAkaSwgMSApIC4gc3Vic3RyKCAkc3RyaW5nMiwgJGksIDEg
KTsNCgkkaSsrOw0KfQ0KDQokZGVjcnlwdGVkID1+IHMvXFwvXEBcQC9nOw0KJGRlY3J5cHRlZCA9
fiBzL1wnL1xgL2c7DQokZGVjcnlwdGVkID1+IHMvcWcvXHJcbi9nOw0KDQpwcmludCAkZGVjcnlw
dGVkOw0K
--Hush_boundary-3e7989a627c62--
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
