CVE request: Joomla component com_sexycontactform and WordPress plugin sexy-contact-form unrestricted file upload

[Henri Salo <henri () nerv fi>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can I get 2014 CVE ID for unrestricted file upload vulnerability in Sexy Contact
Form, thanks. This is currently exploited in the wild.

Plugin has later changed name to Creative Contact Form:
http://extensions.joomla.org/extensions/contacts-and-feedback/contact-forms/23646
https://wordpress.org/plugins/sexy-contact-form/

Affected:
- - Joomla component com_sexycontactform 2.0.0 and below in
  "components/com_sexycontactform/fileupload/UploadHandler.php". Version 2.0.1
  contains fix.
- - WordPress plugin "includes/fileupload/UploadHandler.php" r780722 / 0.9.7
  and below. Changelog says that version 1.0.0 27/10/2014 contains the fix.

Fix is empty file so possibly removing the feature completely. There is also a
proprietary version of this plugin available, but the codebase is nearly the
same as far as I can tell.

UploadHandler.php is "jQuery File Upload Plugin PHP Class 6.4.4" in both
plugins. I have submitted all malicious uploaded files to several AV vendors.
- From log files I'm able to tell that these are automated attacks. Attacker tried
to exploit several Linux local exploit, sent emails and executed DoS attacks. I
have also reported affected installations via email to abuse@ addresses and
CERT.

I can investigate more if you have questions.

- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlRiTxgACgkQXf6hBi6kbk/v+ACgxc/fCjN8mAGhTFWsnVKbHggo
4GoAn1jWlJmXxHP/J47sSTsmB7uPK526
=sUX3
-----END PGP SIGNATURE-----