Direkt zum Inhalt

AIT-SA-20200301-01

Creative Contact Form: Directory Traversal

Identifier: AIT-SA-20200301-01
Target: Creative Contact Form (for Joomla)
Vendor: Creative Solutions
Version: 4.6.2 (before Dec 03 2019)
CVE: CVE-2020-9364
Accessibility: Remote
Severity: High
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

Summary

Creative Contact Form is a responsive jQuery contact form for the Joomla content-management-system.

Vulnerability Description

A directory traversal vulnerability resides inside the mailer component of the Creative Contact Form for Joomla. An attacker could exploit this vulnerability to receive any files from the server via e-mail.

The vulnerable code is located in "helpers/mailer.php" at line 290:

if(isset($_POST['creativecontactform_upload'])) {
if(is_array($_POST['creativecontactform_upload'])) {
foreach($_POST['creativecontactform_upload'] as $file) {

// echo $file.'--';
$file_path = JPATH_BASE . '/components/com_creativecontactform/views/creativeupload/files/'.$file;
$attach_files[] = $file_path;
}
}
}

If an attacker puts "../../../../../../../../etc/passwd" into $_POST['creativecontactform_upload'], and enables "Send me a copy", the contact-form would send him the content of /etc/passwd via email.

 

Note: this vulnerability might not be exploitable in the free version of Creative Contact Form since it does not allow "Send copy to sender".

Vulnerable Versions

Creative Contact Form Personal/Professional/Business 4.6.2 (before Dec 3 2019)

Impact

An unauthenticated attacker could receive any file from the server

Solution

Update to the current version

References

Vendor Contact Timeline

2019-12-02 Contacting the vendor
2019-12-02 Vendor published a fixed version
2019-03-01 Public disclosure

Advisory URL

https://www.ait.ac.at/ait-sa-20200301-01-directory-traversal-in-creative-contact-form