Comments on: WP Contact-Form Vulnerabilities http://blogsecurity.net/wordpress/wp-contact-form-vulnerabilities Always something worth reading... Fri, 12 Mar 2010 11:09:45 +0000 http://wordpress.org/?v= hourly 1 By: Jim http://blogsecurity.net/wordpress/wp-contact-form-vulnerabilities/comment-page-1#comment-14176 Jim Tue, 07 Oct 2008 14:46:16 +0000 http://blogsecurity.net/?p=263#comment-14176 Just create a page with your contact information. Make a special gmail email account just for your blog and let-er rip. I am really starting to stay away from plugins because of all these security issues. Look at joomla, nearly every plugin has some sort of security issue with it, wordpress to follow. Just create a page with your contact information. Make a special gmail email account just for your blog and let-er rip. I am really starting to stay away from plugins because of all these security issues. Look at joomla, nearly every plugin has some sort of security issue with it, wordpress to follow.

]]> By: MustLive http://blogsecurity.net/wordpress/wp-contact-form-vulnerabilities/comment-page-1#comment-13152 MustLive Tue, 26 Aug 2008 20:39:40 +0000 http://blogsecurity.net/?p=263#comment-13152 Douglas. When I'll find time I'll write you recommendations about these holes. Guys. As I wrote above I found holes in three contact form plugins. All contact form plugins (like any other plugins) can have holes. So it's better to attend to security and make security audit of all plugins and the whole sites. Douglas.

When I’ll find time I’ll write you recommendations about these holes.

Guys.

As I wrote above I found holes in three contact form plugins. All contact form plugins (like any other plugins) can have holes. So it’s better to attend to security and make security audit of all plugins and the whole sites.

]]> By: MustLive http://blogsecurity.net/wordpress/wp-contact-form-vulnerabilities/comment-page-1#comment-13077 MustLive Sun, 24 Aug 2008 21:48:08 +0000 http://blogsecurity.net/?p=263#comment-13077 And don't forget about XSS holes in WP-ContactForm 1.5 (<a href="http://websecurity.com.ua/948/" rel="nofollow">http://websecurity.com.ua/948/</a>) and Contact Form ][ (<a href="http://websecurity.com.ua/2328/" rel="nofollow">http://websecurity.com.ua/2328/</a>) which are exist at contact form page. They can be used as for attacking admin and registered users of the site, as for attacking visitors of the site. And don’t forget about XSS holes in WP-ContactForm 1.5 (http://websecurity.com.ua/948/) and Contact Form ][ (http://websecurity.com.ua/2328/) which are exist at contact form page. They can be used as for attacking admin and registered users of the site, as for attacking visitors of the site.

]]> By: MustLive http://blogsecurity.net/wordpress/wp-contact-form-vulnerabilities/comment-page-1#comment-13076 MustLive Sun, 24 Aug 2008 21:41:17 +0000 http://blogsecurity.net/?p=263#comment-13076 David, and once more about your post :-). <blockquote>The actual contact form page that your users see is not vulnerable to these attacks.</blockquote> It's not correct statement. Because actual contact form page is vulnerable too - in both WP-ContactForm and Contact Form ][ plguins. Abuse of Functionality hole in both plugins (which is working at the contact page) allow to send spam to arbitrary emails via sites with any of these plugins. Insufficient Anti-automation hole in WP-ContactForm (due captcha bypass) allow to send any amount of messages to admin (and to any email in case of Abuse of Functionality hole). Insufficient Anti-automation in Contact Form ][ (due lack of captcha) also allow to send any amount of messages to admin (and to any email in case of Abuse of Functionality hole). In both case Insufficient Anti-automation hole is at the contact page. Only Cross-Site Request Forgery and Cross-Site Scripting holes in both plugins are exist at options page (options-contactform.php). But even in these case there some persistent XSS there which can be used to attack visitors of site at contact page form. So there are a lot of holes in both of these plugins (like in original WP-ContactForm 1.5). David, and once more about your post :-).

The actual contact form page that your users see is not vulnerable to these attacks.

It’s not correct statement. Because actual contact form page is vulnerable too – in both WP-ContactForm and Contact Form ][ plguins.

Abuse of Functionality hole in both plugins (which is working at the contact page) allow to send spam to arbitrary emails via sites with any of these plugins.

Insufficient Anti-automation hole in WP-ContactForm (due captcha bypass) allow to send any amount of messages to admin (and to any email in case of Abuse of Functionality hole). Insufficient Anti-automation in Contact Form ][ (due lack of captcha) also allow to send any amount of messages to admin (and to any email in case of Abuse of Functionality hole). In both case Insufficient Anti-automation hole is at the contact page.

Only Cross-Site Request Forgery and Cross-Site Scripting holes in both plugins are exist at options page (options-contactform.php). But even in these case there some persistent XSS there which can be used to attack visitors of site at contact page form. So there are a lot of holes in both of these plugins (like in original WP-ContactForm 1.5).

]]> By: MustLive http://blogsecurity.net/wordpress/wp-contact-form-vulnerabilities/comment-page-1#comment-13071 MustLive Sun, 24 Aug 2008 20:58:14 +0000 http://blogsecurity.net/?p=263#comment-13071 David! You wrote incorrect link ;-) (this link cab be written in another post about 2nd WP plugin if you want to write about it). The post where you linked is about vulnerabilities in Contact Form ][. I wrote about vulnerability in WP-ContactForm in other post: http://websecurity.com.ua/2335/ (and I wrote about many other holes in WP-ContactForm last year in MoBiC project). These are similar plugins (Contact Form ][ and WP-ContactForm) and they both have vulnerabilities. Contact Form ][ made by Chip Cuccio and WP-ContactForm made by Douglas Karr - they both made from original WP-ContactForm 1.5 and both have made similar holes (and some holes left from original), but also have their own holes. And both these plugins need to improve their security. David!

You wrote incorrect link ;-) (this link cab be written in another post about 2nd WP plugin if you want to write about it).

The post where you linked is about vulnerabilities in Contact Form ][. I wrote about vulnerability in WP-ContactForm in other post: http://websecurity.com.ua/2335/ (and I wrote about many other holes in WP-ContactForm last year in MoBiC project).

These are similar plugins (Contact Form ][ and WP-ContactForm) and they both have vulnerabilities. Contact Form ][ made by Chip Cuccio and WP-ContactForm made by Douglas Karr - they both made from original WP-ContactForm 1.5 and both have made similar holes (and some holes left from original), but also have their own holes. And both these plugins need to improve their security.

]]> By: Michael Clark http://blogsecurity.net/wordpress/wp-contact-form-vulnerabilities/comment-page-1#comment-12928 Michael Clark Wed, 20 Aug 2008 18:21:26 +0000 http://blogsecurity.net/?p=263#comment-12928 Isn't this another case where locking down your wp-admin folder so only specific users can access it would be useful? Thesea ren't WP users, but users defined in a .htaccess file. Isn’t this another case where locking down your wp-admin folder so only specific users can access it would be useful? Thesea ren’t WP users, but users defined in a .htaccess file.

]]> By: hombrelobo http://blogsecurity.net/wordpress/wp-contact-form-vulnerabilities/comment-page-1#comment-12919 hombrelobo Wed, 20 Aug 2008 07:10:53 +0000 http://blogsecurity.net/?p=263#comment-12919 Would be nice to suggest a better one instead of saying there are millons better ones .... a link maybe ? Would be nice to suggest a better one instead of saying there are millons better ones …. a link maybe ?

]]> By: beliebtes Wordpress Plugin WP-ContactForm angreifbar » Pixeldrama» Webdesign Berlin http://blogsecurity.net/wordpress/wp-contact-form-vulnerabilities/comment-page-1#comment-12912 beliebtes Wordpress Plugin WP-ContactForm angreifbar » Pixeldrama» Webdesign Berlin Mon, 18 Aug 2008 08:54:05 +0000 http://blogsecurity.net/?p=263#comment-12912 [...] Quelle: perun | Infos: BlogSecurity [...] [...] Quelle: perun | Infos: BlogSecurity [...]

]]> By: Schweizer WordPress Magazin » Beitrag: Effektive Sicherheit in WordPress http://blogsecurity.net/wordpress/wp-contact-form-vulnerabilities/comment-page-1#comment-12906 Schweizer WordPress Magazin » Beitrag: Effektive Sicherheit in WordPress Sat, 16 Aug 2008 14:43:38 +0000 http://blogsecurity.net/?p=263#comment-12906 [...] stammt von BlogSecurity, wo regelmässig auch Sicherheitslücken von WordPress und dessen Plugins (WP Contact Form Plugin) aufgedeckt werden. Um das eigene Blog zu scannen, muss lediglich dieser Kommentar in die [...] [...] stammt von BlogSecurity, wo regelmässig auch Sicherheitslücken von WordPress und dessen Plugins (WP Contact Form Plugin) aufgedeckt werden. Um das eigene Blog zu scannen, muss lediglich dieser Kommentar in die [...]

]]> By: WP-ContactForm mit Sicherheitsl http://blogsecurity.net/wordpress/wp-contact-form-vulnerabilities/comment-page-1#comment-12901 WP-ContactForm mit Sicherheitsl Thu, 14 Aug 2008 18:12:10 +0000 http://blogsecurity.net/?p=263#comment-12901 [...] WordPress-Plugins f [...] WordPress-Plugins f

]]>