WordPress.org

Forums

Contact Form
SQL injection vulnerability in Contact Form WordPress (11 posts)

  1. skrapsrwt
    Member
    Posted 4 years ago #

    Can allow attacker to create high cpuloads on server basicly in a sense causing a DOS or worse. lol.

    Proof of concept code and patch to fix issue provided. Patch only allows up to 99 forms. I hope no one needs more forms than that. If you do ...wow. Also WOW upside down spells MOM. Keep that in mind ;)

    http://www.mediafire.com/?97vy045brmiq0ff

    I looked for authors email but can't find it.

    http://wordpress.org/extend/plugins/contact-form-wordpress/

  2. skrapsrwt
    Member
    Posted 4 years ago #

    foot in mouth, I meant to spell that vulnerability . lol.

  3. hjsktrzyqyq
    Member
    Posted 4 years ago #

    I'm seeing some very weird code especially the $private_key which you have included, however I will say this.

    Thank for you attempting to contact the vendor.

    However your solution is not ideal.

    Line 52 in your doc:

    ! $wpcf_easyform_formid=substr($wpcf_easyform_formid,2);

    Should be:
    $wpcf_easyform_formid = intval($_POST['wpcf_easyform_formid']);

    And line 51 is redundant can can now be removed.

    For those who don't under stand diff and want to fix this:

    in easy-form.class.php

    look for:
    $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);

    Change to:

    $wpcf_easyform_formid = intval($_POST['wpcf_easyform_formid']);
    $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$wpcf_easyform_formid);

    Next search for:
    WHERE form_id = ".$_POST['wpcf_easyform_formid']."

    replace with:
    WHERE form_id = ".$wpcf_easyform_formid."

    Cheers,

    Steven Roddis

  4. hjsktrzyqyq
    Member
    Posted 4 years ago #

    intval() allows whatever the max of an int is for your version of php and platform number of forms.

  5. hjsktrzyqyq
    Member
    Posted 4 years ago #

  6. hjsktrzyqyq
    Member
    Posted 4 years ago #

    This is obviously a disposable account, if anyone needs to contact me further. Google me.

  7. hjsktrzyqyq
    Member
    Posted 4 years ago #

    FYI: I haven't reviewed the plugin nor am I the author.

  8. skrapsrwt
    Member
    Posted 4 years ago #

    Right on thank you. That is great. The original plugin.zip file code can be found at exploit-db @ http://www.exploit-db.com/application/17980 This afternoon the plugin was removed from the site. I don't understand why. but that intval() is a great add thanks for educating me :)

  9. henrisalo
    Member
    Posted 4 years ago #

  10. hjsktrzyqyq
    Member
    Posted 4 years ago #

    @skrapsrwt you actually helped me with that DoS code in your PoC for something else I'm pen-testing. Let's call it even :)

  11. skrapsrwt
    Member
    Posted 4 years ago #

    @henrisalo -no its not the same plugin

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic