Creative Contact Form 4.6.2 Directory Traversal

2020.03.09
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Directory Traversal in Creative Contact Form ## Overview * Identifier: AIT-SA-20200301-01 * Target: Creative Contact Form (for Joomla) * Vendor: Creative Solutions * Version: 4.6.2 (before Dec 03 2019) * CVE: CVE-2020-9364 * Accessibility: Remote * Severity: Critical * Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology) ## Summary [Creative Contact Form](https://creative-solutions.net/) is a responsive jQuery contact form for the Joomla content-management-system. ## Vulnerability Description A directory traversal vulnerability resides inside the mailer component of the Creative Contact Form for Joomla. An attacker could exploit this vulnerability to receive any files from the server via e-mail. The vulnerable code is located in "helpers/mailer.php" at line 290: ``` if(isset($_POST['creativecontactform_upload'])) { if(is_array($_POST['creativecontactform_upload'])) { foreach($_POST['creativecontactform_upload'] as $file) { // echo $file.'--'; $file_path = JPATH_BASE . '/components/com_creativecontactform/views/creativeupload/files/'.$file; $attach_files[] = $file_path; } } } ``` If an attacker puts "../../../../../../../../etc/passwd" into $_POST['creativecontactform_upload'], and enables "Send me a copy", the contact-form would send him the content of /etc/passwd via email. _Note: this vulnerability might not be exploitable in the free version of Creative Contact Form since it does not allow "Send copy to sender"._ ## Vulnerable Versions Creative Contact Form Personal/Professional/Business 4.6.2 (before Dec 3 2019) ## Impact An unauthenticated attacker could receive any file from the server ## Mitigation Update to the current version ## References: * https://nvd.nist.gov/vuln/detail/CVE-2020-9364 ## Vendor Contact Timeline * `2019-12-02` Contacting the vendor * `2019-12-02` Vendor published a fixed version * `2019-03-01` Public disclosure ## Advisory URL [https://www.ait.ac.at/ait-sa-20200301-01-directory-traversal-in-creative-contact-form](https://www.ait.ac.at/ait-sa-20200301-01-directory-traversal-in-creative-contact-form)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top