Support » Plugin: Contact Form » SQL injection vulnerability in Contact Form WordPress

Viewing 10 replies - 1 through 10 (of 10 total)
  • skrapsrwt

    (@skrapsrwt)

    foot in mouth, I meant to spell that vulnerability . lol.

    hjsktrzyqyq

    (@hjsktrzyqyq)

    I’m seeing some very weird code especially the $private_key which you have included, however I will say this.

    Thank for you attempting to contact the vendor.

    However your solution is not ideal.

    Line 52 in your doc:

    ! $wpcf_easyform_formid=substr($wpcf_easyform_formid,2);

    Should be:
    $wpcf_easyform_formid = intval($_POST[‘wpcf_easyform_formid’]);

    And line 51 is redundant can can now be removed.

    For those who don’t under stand diff and want to fix this:

    in easy-form.class.php

    look for:
    $form = $wpdb->get_results(“SELECT * FROM $table_name WHERE ID = “.$_POST[‘wpcf_easyform_formid’]);

    Change to:

    $wpcf_easyform_formid = intval($_POST[‘wpcf_easyform_formid’]);
    $form = $wpdb->get_results(“SELECT * FROM $table_name WHERE ID = “.$wpcf_easyform_formid);

    Next search for:
    WHERE form_id = “.$_POST[‘wpcf_easyform_formid’].”

    replace with:
    WHERE form_id = “.$wpcf_easyform_formid.”

    Cheers,

    Steven Roddis

    hjsktrzyqyq

    (@hjsktrzyqyq)

    intval() allows whatever the max of an int is for your version of php and platform number of forms.

    hjsktrzyqyq

    (@hjsktrzyqyq)

    hjsktrzyqyq

    (@hjsktrzyqyq)

    This is obviously a disposable account, if anyone needs to contact me further. Google me.

    hjsktrzyqyq

    (@hjsktrzyqyq)

    FYI: I haven’t reviewed the plugin nor am I the author.

    skrapsrwt

    (@skrapsrwt)

    Right on thank you. That is great. The original plugin.zip file code can be found at exploit-db @ http://www.exploit-db.com/application/17980 This afternoon the plugin was removed from the site. I don’t understand why. but that intval() is a great add thanks for educating me 🙂

    henrisalo

    (@henrisalo)

    hjsktrzyqyq

    (@hjsktrzyqyq)

    @skrapsrwt you actually helped me with that DoS code in your PoC for something else I’m pen-testing. Let’s call it even 🙂

    skrapsrwt

    (@skrapsrwt)

    @henrisalo -no its not the same plugin

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘SQL injection vulnerability in Contact Form WordPress’ is closed to new replies.