Home
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

Contact Form 7 is one of the most popular website contact forms implemented throughout websites developed using Wordpress. It allows users to quickly and easily submit a message or query to the owner of the site w ithout the need to compose an entire email.

 

Hannah discovers bug in Contact Form 7 to bypass CAPTCHA

Contact Form 7 is one of the most popular website contact forms implemented throughout websites developed using Wordpress. It allows users to quickly and easily submit a message or query to the owner of the site without the need to compose an entire email using a regular client.

Contact Form 7 makes use of a CAPTCHA facility in ord er to prevent the risk of exploitation from bots and potential attackers. An exploitation could result in an influx of requests, resulting in a possible Denial of Service attack against the site?s email recipients.

Whilst testi ng this CAPTCHA facility on our own website, Hedgehog Security were able to bypass this feature and flood our inbox with thousands of requests.

The author of the plugin has now been notified and a fix was released within a matt er of hours. To apply the fix, visit the link below and update to version 3.7.2:

http://wordpress.org/plugins/contact-form-7/changelog/

As a furth er precaution, it is advised that users of contact forms within their website(s) protect themselves by limiting the recipients of their contact forms, as well as to create an inbox rule to place the messages into a separate inbox folder.

 

CVE-2014-2265

This vulnerability has now been granted a CVE-ID. This can be viewed at www .cve.mitre.org

An advisory for this vulnerability may also be viewed below:

CVE: CVE-2014-2265
Vendor: Rock Lobster, LLC.
Product: ContactForm7
Affected Version: 3.7.1 and earlier
Fixed Version: 3.7.2
Repor
ted by: Hannah Sharp

 

Details

It is possible to bypass the CAPTCHA facility and fill the recipient?s inbox with an influx of requests. The removal of the ?_wpcf7_captcha_challenge_captcha-719? parameter (or just the contents of the parameter) from a request sent via a form using CAPTCHA allows the sender to bypass validation. Because of this, a sender is able to automate the transmission of a huge number of emails to the site?s email recip ients.

The following is an example request sent via ContactForm7 using CAPTCHA:

POST / HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: applicatio
n/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer:
Content-Length: 238
Connect
ion: keep-alive
Pragma: no-cache
Cache-Control: no-cache

Impact: Potential Denial of Service attack against the site?s email recipients.

&nsbp;

Exploit:

Exploit code is not required.

 

Vendor status:

25/02/2014 Advisory created
26/02/2014 Vendor contacted
26/02/2014 Vendor working on a fix
26/02/2014 Fix released
27/02/2014 Fix confirmed
04/03/2014 CVE obtained
04/03/2014 Published
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

Contact Form 7 is one of the most popular website contact forms implemented throughout websites developed using Wordpress. It allows users to quickly and easily submit a message or query to the owner of the site without the need to compose an entire email.

Hannah discovers bug in Contact Form 7 to bypass CAPTCHA

Contact Form 7 is one of the most popular website contact forms implemented throughout websites developed using Wordpress. It allows users to quickly and easily submit a message or query to the owner of the site without the need to compose an entire email using a regular client.

Contact Form 7 makes use of a CAPTCHA facility in order to prevent the risk of exploitation from bots and potential attackers. An exploitation could result in an influx of requests, resulting in a possible Denial of Service attack against the site?s email recipients.

Whilst testing this CAPTCHA facility on our own website, Hedgehog Security were able to bypass this feature and flood our inbox with thousands of requests.

The author of the plugin has now been notified and a fix was released within a matter of hours. To apply the fix, visit the link below and update to version 3.7.2:

As a further precaution, it is advised that users of contact forms within their website(s) protect themselves by limiting the recipients of their contact forms, as well as to create an inbox rule to place the messages into a separate inbox folder.

CVE-2014-2265

This vulnerability has now been granted a CVE-ID. This can be viewed at www.cve.mitre.org
An advisory for this vulnerability may also be viewed below:

CVE: CVE-2014-2265
Vendor: Rock Lobster, LLC.
Product: ContactForm7
Affected Version: 3.7.1 and earlier
Fixed Version: 3.7.2
Reported by: Hannah Sharp

Details

It is possible to bypass the CAPTCHA facility and fill the recipient?s inbox with an influx of requests. The removal of the ?_wpcf7_captcha_challenge_captcha-719? parameter (or just the contents of the parameter) from a request sent via a form using CAPTCHA allows the sender to bypass validation. Because of this, a sender is able to automate the transmission of a huge number of emails to the site?s email recipients.

The following is an example request sent via ContactForm7 using CAPTCHA:

POST / HTTP/1.1 Host:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; 
charset=UTF-8
X-Requested-With: XMLHttpRequestReferer:
Content-Length: 238
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

Impact: Potential Denial of Service attack against the site's email recipients.

Exploit:

Exploit code is not required.

Vendor status:

25/02/2014 Advisory created
26/02/2014 Vendor contacted
26/02/2014 Vendor working on a fix
26/02/2014 Fix released
27/02/2014 Fix confirmed
4/03/2014 CVE obtained
4/03/2014 Published