In the WordPress add-on Contact Form 7 5.3.2 , having over 5 million active installations, detected Vulnerability (CVE-2020-35489), which allows you to organize the execution of PHP code on the server.
The Contact Form 7 add-on is designed to add arbitrary feedback forms with visitors to sites … The vulnerability manifests itself when the function of sending files in forms is enabled (for example, when attaching an image) and allows, in addition to explicitly allowed file types, to upload files with any extensions to the server.
To bypass the validity check of an uploaded file, just specify a separator character in the file name, separating it with a valid extension. For example, when transferring a file named “test.php t.png”, the add-on will consider that the image is transferred in PNG format, but the test.php file will be saved to disk, which can then be called through a direct call to the site, if in the web settings -server is not explicitly prohibited from executing scripts in the directory with the loaded data.
Problem Solved by removing separator and control characters from uploaded file names. The practical possibility of exploiting the vulnerability in typical configurations is assessed as low, since by default Contact Form 7 for servers running Apache httpd creates in the downloads directory .htaccess, denying direct access to uploaded files (” Deny from all “).
Exploitation of the vulnerability is also complicated by the fact that the file saved in a temporary directory with a random name and deleted immediately after sending to the recipient, those. to determine the name of the temporary directory on the server, the output of the contents of the directories must be allowed and the attacker must have time to send a request to the server before deleting the information. For an attack, the server must also allow PHP scripts to run in the processed directory.