oss-sec mailing list archives

Re: CVE request: Joomla component com_sexycontactform and WordPress plugin sexy-contact-form unrestricted file upload

From: Henri Salo <henri () nerv fi>
Date: Tue, 11 Nov 2014 20:51:08 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

References for the issue:
- - http://www.exploit-db.com/exploits/35057/
- - http://osvdb.org/113669
- - http://packetstormsecurity.com/files/128822/WordPress-Joomla-Creative-Contact-Form-0.9.7-Shell-Upload.html

Exploit-DB says "Vulnerability discovered by Gianni Angelozzi" and it is dated
2014-10-25, but from log files I can see that the attacks started 2014-10-02 in
one of the sites I investigated.

- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlRiWpwACgkQXf6hBi6kbk/HoQCeM/9NtPVP7ZY0x3Lg99WkK89u
YFQAn3UnPpUI9ZRlNqsniLz8twANb/qz
=nQsK
-----END PGP SIGNATURE-----

Current thread:

CVE request: Joomla component com_sexycontactform and WordPress plugin sexy-contact-form unrestricted file upload Henri Salo (Nov 11)
- Re: CVE request: Joomla component com_sexycontactform and WordPress plugin sexy-contact-form unrestricted file upload Henri Salo (Nov 11)
- Re: CVE request: Joomla component com_sexycontactform and WordPress plugin sexy-contact-form unrestricted file upload cve-assign (Nov 12)