lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <6d73bb2e6f624a4a97135a63173ae8d8@ait.ac.at> Date: Wed, 4 Mar 2020 12:40:57 +0000 From: sec-advisory <sec-advisory@....ac.at> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] [AIT-SA-20200301-01] CVE-2020-9364: Directory Traversal in Creative Contact Form # Directory Traversal in Creative Contact Form ## Overview * Identifier: AIT-SA-20200301-01 * Target: Creative Contact Form (for Joomla) * Vendor: Creative Solutions * Version: 4.6.2 (before Dec 03 2019) * CVE: CVE-2020-9364 * Accessibility: Remote * Severity: Critical * Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology) ## Summary [Creative Contact Form](https://creative-solutions.net/) is a responsive jQuery contact form for the Joomla content-management-system. ## Vulnerability Description A directory traversal vulnerability resides inside the mailer component of the Creative Contact Form for Joomla. An attacker could exploit this vulnerability to receive any files from the server via e-mail. The vulnerable code is located in "helpers/mailer.php" at line 290: ``` if(isset($_POST['creativecontactform_upload'])) { if(is_array($_POST['creativecontactform_upload'])) { foreach($_POST['creativecontactform_upload'] as $file) { // echo $file.'--'; $file_path = JPATH_BASE . '/components/com_creativecontactform/views/creativeupload/files/'.$file; $attach_files[] = $file_path; } } } ``` If an attacker puts "../../../../../../../../etc/passwd" into $_POST['creativecontactform_upload'], and enables "Send me a copy", the contact-form would send him the content of /etc/passwd via email. _Note: this vulnerability might not be exploitable in the free version of Creative Contact Form since it does not allow "Send copy to sender"._ ## Vulnerable Versions Creative Contact Form Personal/Professional/Business 4.6.2 (before Dec 3 2019) ## Impact An unauthenticated attacker could receive any file from the server ## Mitigation Update to the current version ## References: * https://nvd.nist.gov/vuln/detail/CVE-2020-9364 ## Vendor Contact Timeline * `2019-12-02` Contacting the vendor * `2019-12-02` Vendor published a fixed version * `2019-03-01` Public disclosure ## Advisory URL [https://www.ait.ac.at/ait-sa-20200301-01-directory-traversal-in-creative-contact-form](https://www.ait.ac.at/ait-sa-20200301-01-directory-traversal-in-creative-contact-form) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists