Contact Form 7 is one of the most popular website contact forms implemented throughout websites developed using Wordpress. It allows users to quickly and easily submit a message or query to the owner of the site w ithout the need to compose an entire email.
Hannah discovers bug in Contact Form 7 to bypass CAPTCHA
Contact Form 7 is one of the most popular website contact forms implemented throughout websites developed using Wordpress. It allows users to quickly and easily submit a message or query to the owner of the site without the need to compose an entire email using a regular client.
Contact Form 7 makes use of a CAPTCHA facility in ord er to prevent the risk of exploitation from bots and potential attackers. An exploitation could result in an influx of requests, resulting in a possible Denial of Service attack against the site?s email recipients.
Whilst testi ng this CAPTCHA facility on our own website, Hedgehog Security were able to bypass this feature and flood our inbox with thousands of requests.
The author of the plugin has now been notified and a fix was released within a matt er of hours. To apply the fix, visit the link below and update to version 3.7.2:
As a furth er precaution, it is advised that users of contact forms within their website(s) protect themselves by limiting the recipients of their contact forms, as well as to create an inbox rule to place the messages into a separate inbox folder.
This vulnerability has now been granted a CVE-ID. This can be viewed at www .cve.mitre.org
An advisory for this vulnerability may also be viewed below:
CVE: CVE-2014-2265 Vendor: Rock Lobster, LLC. Product: ContactForm7 Affected Version: 3.7.1 and earlier Fixed Version: 3.7.2 Repor ted by: Hannah Sharp
It is possible to bypass the CAPTCHA facility and fill the recipient?s inbox with an influx of requests. The removal of the ?_wpcf7_captcha_challenge_captcha-719? parameter (or just the contents of the parameter) from a request sent via a form using CAPTCHA allows the sender to bypass validation. Because of this, a sender is able to automate the transmission of a huge number of emails to the site?s email recip ients.
The following is an example request sent via ContactForm7 using CAPTCHA:
Impact: Potential Denial of Service attack against the site?s email recipients.
Exploit code is not required.
25/02/2014 Advisory created 26/02/2014 Vendor contacted 26/02/2014 Vendor working on a fix 26/02/2014 Fix released 27/02/2014 Fix confirmed 04/03/2014 CVE obtained 04/03/2014 Published