There’s a new vulnerability inside the Creative Contact Form extension/plugin for Joomla and WordPress that allows a remote attacker to execute arbitrary PHP code and upload malicious files:
http://osvdb.org/show/osvdb/113673
http://osvdb.org/show/osvdb/113669
This plugin/extension seems to be quite popular. Some of our clients’ Joomla websites have already been attacked and defaced, so I’ve already submitted a request via the CWAF plugin to address this vulnerability.
So far I came up with this solution by modifying the CWAF rule ID 240000:
# Joomla Creative Contact Form Protection
SecRule REQUEST_FILENAME "[at]contains /components/com_sexycontactform/fileupload/files/" \
"chain,\
id:00129,\
msg:'COMODO WAF: Protecting Joomla Creative Contact Form Files folder',\
phase:2,\
deny,\
status:403,\
t:none, t:urlDecodeUni, t:lowercase"
SecRule REQUEST_FILENAME "[at]endsWith .php" \
"t:none, t:urlDecodeUni, t:lowercase"
# WordPress Creative Contact Form Protection
SecRule REQUEST_FILENAME "[at]contains /wp-content/plugins/sexy-contact-form/includes/fileupload/files/" \
"chain,\
id:00130,\
msg:'COMODO WAF: Protecting WordPress Creative Contact Form Files folder',\
phase:2,\
deny,\
status:403,\
t:none, t:urlDecodeUni, t:lowercase"
SecRule REQUEST_FILENAME "[at]endsWith .php" \
"t:none, t:urlDecodeUni, t:lowercase"
NOTE: If you use this, please remember to replace the [at] signs and assign your own custom rule IDs if necessary.
You can insert them under CWAF Plugin » Userdata » Custom Rules
These rules would deny the execution of PHP code within the Creative Contact Form upload folder.
The major problem so far is that the attackers are still be able to upload malicious files and possibly run PHP code outside the upload folder. The uploaded files would also remain on the server. Therefore, I’m hoping that the Comodo developers can come up with a better protection for this vulnerability. Maybe block the uploading of PHP files?
Thank you.