Map Labs

WordPress: Contact Form 7 File Upload Vulnerability

More threads by djbaxter

djbaxter

djbaxter

Administrator
Joined
Jun 28, 2012
Messages
3,778
Solutions
2
Reaction score
1,877
A Challenging Exploit: The Contact Form 7 File Upload Vulnerability
by Ram Gall, Wordfence.com
Dec 17, 2020

Contact Form 7, arguably the most widely used WordPress plugin, released a security patch for an unrestricted file upload vulnerability in all versions 5.3.1 and lower. The WordPress plugin directory lists 5+ million sites using Contact Form 7, but we estimate that it has at least 10 million installations.

One of the important features of Contact Form 7 is the ability to allow file uploads as a part of a form submission. While uploaded filenames are sanitized during the upload process, reviewing the patch indicates that an attacker could potentially bypass some of Contact Form 7’s filename sanitization protections when uploading files by adding control characters or invisible separators.

There are a number of mitigations in place within Contact Form 7 that would make this bypass difficult to fully exploit:
  • Any uploaded files are stored temporarily in a folder with a random name, and removed immediately after the file is sent to the form recipient. This means the attacker would need to be able to find the random folder name, which would likely require Directory Indexing to be enabled, and they would need to do so before the randomized directory and uploaded file was removed.
  • Contact Form 7 uses an .htaccess file to disallow direct access to uploaded files which would be necessary to execute code. While this would only work on sites running Apache, it would prevent execution of any uploaded files unless a separate vulnerability was present.
  • The filename must end in an acceptable file extension. This means that only certain Apache configurations would assign a PHP handler to any uploaded file using a double extension.
If you are using Contact Form 7 without the file upload functionality, your site is not vulnerable to attackers looking to exploit this vulnerability. However, we still recommend an immediate update to ensure your site is protected.

Wordfence customers, including Wordfence Premium users and those still running the free version, are protected by the Firewall’s built-in file upload protection which will prevent any attempts to upload known malware or executable PHP files.

The patched version was released early today, Wednesday, December 17, 2020. If your site is one of the many sites using Contact Form 7, we strongly recommend that you update to version 5.3.2 as soon as possible.

While this vulnerability is unlikely to be easily exploitable, due to the prevalence of sites using Contact Form 7, attackers may still end up targeting this vulnerability. Given more time, or published proof of concept code, attackers may find that exploitation of this vulnerability is much easier than is readily apparent now.
Click to expand...

Read more...
 
You must log in or register to reply here.

Similar threads

J
New photo upload interface and file size requirements
Replies
6
Views
7K
dale-jepto
dale-jepto
djbaxter
Important WordPress 5.8.3 Security Release
Replies
0
Views
3K
djbaxter
djbaxter
C
  • Solved
Duplicate without user-selected canonical OPTIONS
Replies
7
Views
3K
bdlowery
bdlowery
djbaxter
Ninja Forms WordPress Plugin: High Severity Vulnerability Patched
Replies
0
Views
2K
djbaxter
djbaxter
ianscott
Contact Form 7 Datepicker - High Vulnerability Leads To Plugin Closure
Replies
1
Views
4K
djbaxter
djbaxter

Login / Register

Already a member?   LOG IN
Not a member yet?   REGISTER

Share this page

LocalU Event

LocalU - Local SEO Penalties for Links

Newest Posts

Trending: Most Replies

Trending: Most Viewed

  Promoted Posts

New advertising option: A review of your product or service posted by a Sterling Sky employee. This will also be shared on the Sterling Sky & LSF Twitter accounts, our Facebook group, LinkedIn, and both newsletters. More...

  Local Search Pros Facebook

Top Bottom