7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
71.3%
PHP forms generated using the PHP FormMail Generator are vulnerable to stored cross-site scripting and unrestricted upload of dangerous file types.
PHP FormMail Generator is a website that generates PHP form code for inclusion in a PHP-based or Wordpress-based website. The code generated by the website prior to 17 December 2016 is vulnerable to the following:
CWE-434**: Unrestricted Upload of File with Dangerous Type -**CVE-2016-9492
In the generated form.lib.php
file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename.
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2016-9493
The name
and message
fields of the generated PHP form do not properly validate input, allowing an attacker to submit a XSS payload that is then stored by the application. The XSS payload is executed when an administrator accesses the administrator panel.
An unauthenticated remote attacker may be able to conduct stored XSS attacks against the form administrator, or possibly execute PHP code on the server if the attacker can guess the uploaded filename.
A full solution is not currently known, however users may consider the following.
Regenerate your PHP form code
The PHP FormMail Generator website as of 2016-12-17 generates PHP code that addresses CVE-2016-9492. Affected users are encouraged to regenerate the PHP form code using the website, or manually apply patches.
However, CVE-2016-9493 is not confirmed addressed in the latest release. Users may manually update their form code to use PHP htmlentities
or similar methods to prevent XSS in the fields. Alternately, users may need to consider a different form.
608591
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: December 16, 2016 Updated: December 21, 2016
Statement Date: December 17, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Temporal | 7.7 | E:F/RL:OF/RC:C |
Environmental | 5.8 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
<http://www.formmail-maker.com/generator.php>
Thanks to Ibram Marzouk for reporting this vulnerability.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2016-9492, CVE-2016-9493 |
---|---|
Date Public: | 2016-12-17 Date First Published: |
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
71.3%