Shulou(Shulou.com)05/31 Report--

Contact Form 7 plug-in unrestricted file upload vulnerability CVE-2020-35489 how to analyze, for this problem, this article describes in detail the corresponding analysis and solutions, hoping to help more partners who want to solve this problem to find a more simple and easy way.

Overview of vulnerabilities

As we all know, Contact Form 7 is a very popular WordPress plug-in. But according to the latest findings from security researchers, there is an unrestricted file upload vulnerability in Contact Form 7. This vulnerability is marked as a high-risk vulnerability, and the currently vulnerable Contact Form 7 plug-in has been installed on more than 5 million websites, making these sites a serious "hot spot" for attackers. With the help of this vulnerability, attackers will be able to perform attacks such as phishing, website takeover, data theft and credit card fraud on the target site.

We will introduce and analyze the causes of this vulnerability, and give a proof-of-concept PoC and mitigation scheme for this vulnerability.

Contact Form 7 plug-in

For information about the plug-in, we directly refer to the introduction given in the official documentation of the plug-in:

Contact Form 7 is a free wordpress contact form plugin, or CF7, which ranks first in the official WP plugin list and is one of the most popular plug-ins in the form plugin. The plug-in can manage multiple contact forms and can flexibly customize the form and email content through simple tags.

Introduction of loopholes

The National vulnerability Database (NVD) currently marks this vulnerability as CVE-2020-35489, and the relevant vulnerability is described as follows:

WordPress's Contact Form 7 plug-in (version earlier than v5.3.2) will allow attackers to achieve unrestricted file upload and remote code execution (because the file name may contain special characters).

The plug-in allows WP administrators to create contact forms on their own sites where users can enter contact information for technical support or feedback.

Malicious users can exploit this vulnerability by uploading a file with a double extension in its name, which is delimited by non-printable or special characters, such as "say php .jpg" (\ t characters are delimiters).

Next, Contact Form 7 does not remove these characters from the file name of the uploaded file, and parses the previous file name, including the first extension, while the delimiter prevents Contact Form 7 from resolving subsequent extensions. As a result, the final file name becomes "php".

An attacker will be able to access or execute this file on the server through remote code execution.

For the source code of Contact Form 7, interested students can click [here] to view the source code hosted on GitHub.

As a result, attackers will be able to exploit the vulnerability CVE-2020-35498 to have a serious security impact on the target site.

Exploit PoC

Note that we cannot publicly disclose the technology and exploitation details of this vulnerability because the official PoC has not yet been released. And before December 31, 2020, we have to give suppliers and users some time to update.

Here, I will configure a WordPress site locally and demonstrate how to exploit this vulnerability. I will use the Contact Form 7 v5.3.1 plug-in to demonstrate how to exploit this vulnerability, as it was fixed in version 5.3.2 released on December 17, 2020.

Environment configuration

First, we need to download, import, install, and activate the plug-in:

At this point, the Contact Form 7 plug-in has been installed and activated.

The second step is to find the "Contact" tag in the WordPress sidebar and click the "Add New" button to create a new form.

Next, to demonstrate the vulnerability, I created a "Job Application Form" form that provides support for file upload.

Finally, add the form to a page and publish it.

Attack scenario

We visit the newly created page and upload a file named "exploit.php .jpg" in the file upload section of the form.

Our malicious files will be successfully uploaded to the server at this time.

Click the "Submit" button and we will receive an upload response from the server indicating that our file has been uploaded successfully and the file name is "exploit.php". Next, we will be able to access or execute this file on the server through arbitrary code execution.

The default upload path for files is "wp-content/uploads", but you can modify the file upload path (WPCF7_UPLOADS_TMP_DIR) in the following ways:

Define ('WPCF7_UPLOADS_TMP_DIR',' / your/file/path'); vulnerability impact

By exploiting this vulnerability, an attacker can upload any type of file directly and bypass the restrictions on the type of uploaded files deployed at the target site, the consequences of which may be but are not limited to:

Take over the entire website

Malware infection, steal Credit card information and redirect users to malicious pages

Phishing attack

Get target server file system and database information

Insert the backdoor program

.

Loophole mitigation

Go to the WordPress plug-in functionality page and update the plug-in version to v5.3.2 or later. In addition, we can also use the WordPress security vulnerability scanner-WPSec to scan and monitor our WordPress site. After running WPSec, we will see the output shown in the following figure:

In fact, similar loopholes often occur. Therefore, we recommend that the majority of users try to update the plug-in manually on a regular basis. In addition, we should also disable PHP code execution functions in the uploads folder. If you are using Nginx, you can disable PHP code execution by adding the following to the configuration file:

Location ^ ~ / wp-content/uploads/ {}

For Apache Web servers, it is not recommended to prevent PHP code execution by placing .htaccess files in the uploads folder, as attackers are likely to overwrite this file with the above vulnerability. We can use Apache configuration files to block execution, but this can be a problem in a shared hosting environment. At the same time, we can set AllowOverride to None to prevent the .htaccess file from overwriting the setting.

On the Contact Form 7 plug-in unlimited file upload vulnerability CVE-2020-35489 how to analyze the question is shared here, I hope the above content can be of some help to you, if you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.