Get in touch with Form 7, arguably probably the most trusted WordPress plugin, released a security patch for an unrestricted document upload vulnerability in every versions 5.3.1 and reduced. The WordPress plugin directory lists 5+ million websites using CONTACT PAGE 7, but we estimate that it provides at the very least 10 million installations.
One of the important top features of Contact Type 7 is the capability to allow document uploads as part of an application submission. While uploaded filenames are usually sanitized through the upload procedure, reviewing the patch signifies that an attacker may potentially bypass some of CONTACT PAGE 7’s filename sanitization protections when uploading files with the addition of control characters or even invisible separators.
There are a amount of mitigations set up within CONTACT PAGE 7 that would get this to bypass difficult to totally exploit:
- Any uploaded files are usually stored temporarily in a folder with a random title, and removed soon after the document is delivered to the form recipient. This implies the attacker would have to be capable to discover the random folder title, which would likely need Directory Indexing to become enabled, plus they would require to do so prior to the randomized directory and uploaded document was removed.
- Contact Form 7 uses an .htaccess document to disallow immediate access to uploaded data files which would be essential to execute program code. While this might only work on websites running Apache, it could avoid execution of any uploaded documents unless another vulnerability was existing.
- The filename must result in a satisfactory file extension. Which means that only specific Apache configurations would assign a PHP handler to any uploaded document utilizing a double extension.
If you’re using CONTACT PAGE 7 minus the file upload efficiency, your website is not susceptible to attackers seeking to exploit this vulnerability. Nevertheless, we nevertheless recommend an immediate revise to ensure your website is protected.
Wordfence clients, including Wordfence Premium users and the ones still running the totally free version, are usually protected by the Firewall’s built-in document upload protection that will prevent any tries to upload known malware or even executable PHP data files.
The patched version premiered early these days, Wednesday, December 17, 2020. If your website is among the many websites using CONTACT PAGE 7, we strongly suggest that you up-date to edition 5.3.2 as quickly as possible.
While this vulnerability is unlikely to end up being easily exploitable, because of the prevalence of websites using CONTACT PAGE 7, attackers may nevertheless find yourself targeting this vulnerability. Provided additional time, or published proof concept code, attackers could find that exploitation of the vulnerability is a lot easier than is easily apparent now.
Special because of Lead Programmer Matt Barry and QA Lead Matt Rusnak because of their assistance within investigating this matter.
The post A Challenging Exploit: The CONTACT PAGE 7 File Upload Vulnerability appeared first on Wordfence.