oss-security - Re: CVE request: Joomla component com_sexycontactform and WordPress plugin sexy-contact-form unrestricted file upload

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Tue, 11 Nov 2014 20:51:08 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: Joomla component com_sexycontactform
 and WordPress plugin sexy-contact-form unrestricted file upload

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

References for the issue:
- - http://www.exploit-db.com/exploits/35057/
- - http://osvdb.org/113669
- - http://packetstormsecurity.com/files/128822/WordPress-Joomla-Creative-Contact-Form-0.9.7-Shell-Upload.html

Exploit-DB says "Vulnerability discovered by Gianni Angelozzi" and it is dated
2014-10-25, but from log files I can see that the attacks started 2014-10-02 in
one of the sites I investigated.

- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlRiWpwACgkQXf6hBi6kbk/HoQCeM/9NtPVP7ZY0x3Lg99WkK89u
YFQAn3UnPpUI9ZRlNqsniLz8twANb/qz
=nQsK
-----END PGP SIGNATURE-----

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.