Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title PHP FormMail Generator generates code vulnerable to multiple issues
Informations
Name VU#608591 First vendor Publication 2017-03-07
Vendor VU-CERT Last vendor Modification 2017-03-07
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#608591

PHP FormMail Generator generates code vulnerable to multiple issues

Original Release date: 07 Mar 2017 | Last revised: 07 Mar 2017

Overview

PHP forms generated using the PHP FormMail Generator are vulnerable to stored cross-site scripting and unrestricted upload of dangerous file types.

Description

PHP FormMail Generator is a website that generates PHP form code for inclusion in a PHP-based or Wordpress-based website. The code generated by the website prior to 17 December 2016 is vulnerable to the following:

CWE-434: Unrestricted Upload of File with Dangerous Type - CVE-2016-9492

In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename.

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2016-9493

The name and message fields of the generated PHP form do not properly validate input, allowing an attacker to submit a XSS payload that is then stored by the application. The XSS payload is executed when an administrator accesses the administrator panel.

Impact

An unauthenticated remote attacker may be able to conduct stored XSS attacks against the form administrator, or possibly execute PHP code on the server if the attacker can guess the uploaded filename.

Solution

A full solution is not currently known, however users may consider the following.


Regenerate your PHP form code

The PHP FormMail Generator website as of 2016-12-17 generates PHP code that addresses CVE-2016-9492. Affected users are encouraged to regenerate the PHP form code using the website, or manually apply patches.

However, CVE-2016-9493 is not confirmed addressed in the latest release. Users may manually update their form code to use PHP `htmlentities` or similar methods to prevent XSS in the fields. Alternately, users may need to consider a different form.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
PHP FormMail GeneratorAffected16 Dec 201621 Dec 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base9.3AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal7.7E:F/RL:OF/RC:C
Environmental5.8CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://www.formmail-maker.com/generator.php

Credit

Thanks to Ibram Marzouk for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2016-9492CVE-2016-9493
  • Date Public:17 Dec 2016
  • Date First Published:07 Mar 2017
  • Date Last Updated:07 Mar 2017
  • Document Revision:28

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/608591

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-434 Unrestricted Upload of File with Dangerous Type (CWE/SANS Top 25)
50 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2018-09-10 17:23:39
  • Multiple Updates
2018-07-14 00:21:04
  • Multiple Updates
2017-03-07 21:21:40
  • First insertion