Title: CGI Command Execution Vulnerability in POST HTTP Method Last modified: August 22, 2016 --- # CGI Command Execution Vulnerability in POST HTTP Method * [filmdc](https://wordpress.org/support/users/filmdc/) * (@filmdc) * [11 years, 4 months ago](https://wordpress.org/support/topic/cgi-command-execution-vulnerability-in-post-http-method/) * Hi, * A site we run recently was flagged by SiteLock as having a an issue with sanitized request strings, and they pointed directly at our contact form 7 plugin form. The form is Get A Quote, which submit basic contact info so a representative can get in touch with the a sales rep. * The message was this: * Synopsis: It may be possible to run arbitrary code on the remote web server. * Description: The remote web server hosts CGI scripts that fail to adequately sanitize request strings. Be leveraging this issue, an attacker may be able to execute arbitrary commands on the remote host. Not that this script uses a time- based method which is less reliable than the basic method * Solution: Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade. * Technical Details: Using the POST HTTP method, Sitelock App Scan found that: + The following resources may be vulnerable to arbitrary command execution (time based) :+ The ‘City’ parameter of the /get-a-quote[your-email=&comments=&_wpcf7 =671&besttime=&State=&+wpcf7_captcha_challenge_SecurityCode=2144197497&TypeofCoverage[] =Home&_wpcf7_unit_tag=wpcf7-f671=p79-o1&PhoneNumber=&Zipcode=&_wpnonce=d06d5c35f9& Address=&_wpcf7_local=SecurityCode=&_wpcf7_version=4.0.2&&your-name=&City=x%20% 7C%7C%20ping%20-n%203%20127.0.0.1%20%26]————————output——————————– * So from what I could tell by their alert, and warning that the issues needed to be addressed within 72 hours, is that were able to execute a command line ping using the city field in the contact form. * When I checked the plugin, it needed an update, and I updated it to the current version 4.0.3. I didn’t check prior to see what version I had, so I’m thinking I had a version less then 4.0.2, which looks like you guys added a security update then. Can you confirm this for me? Does this make sense to you guys, or is it possible 4.0.2 had this security issue? * Thank you, David * [https://wordpress.org/plugins/contact-form-7/](https://wordpress.org/plugins/contact-form-7/) Viewing 1 replies (of 1 total) * Plugin Author [Takayuki Miyoshi](https://wordpress.org/support/users/takayukister/) * (@takayukister) * [11 years, 4 months ago](https://wordpress.org/support/topic/cgi-command-execution-vulnerability-in-post-http-method/#post-5655078) * As far as I can see, this report of vulnerability is not applicable to the Contact Form 7 plugin of any versions. It might be a particular issue in your site, but I’m not sure. I want to hear the detail from the SiteLock if possible. * It is mentioned about a ‘City’ parameter. Do you have the field in your form? Can I see the form? Viewing 1 replies (of 1 total) The topic ‘CGI Command Execution Vulnerability in POST HTTP Method’ is closed to new replies. * ![](https://ps.w.org/contact-form-7/assets/icon.svg?rev=2339255) * [Contact Form 7](https://wordpress.org/plugins/contact-form-7/) * [Frequently Asked Questions](https://wordpress.org/plugins/contact-form-7/#faq) * [Support Threads](https://wordpress.org/support/plugin/contact-form-7/) * [Active Topics](https://wordpress.org/support/plugin/contact-form-7/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/contact-form-7/unresolved/) * [Reviews](https://wordpress.org/support/plugin/contact-form-7/reviews/) ## Tags * [CGI](https://wordpress.org/support/topic-tag/cgi/) * [HTTP](https://wordpress.org/support/topic-tag/http/) * [post](https://wordpress.org/support/topic-tag/post/) * 1 reply * 2 participants * Last reply from: [Takayuki Miyoshi](https://wordpress.org/support/users/takayukister/) * Last activity: [11 years, 4 months ago](https://wordpress.org/support/topic/cgi-command-execution-vulnerability-in-post-http-method/#post-5655078) * Status: not resolved