[VIM] [Fwd: contactforms "cforms-css.php" Remote File Inclusion]

[Steven M. Christey]

> The only contactforms I can find with cforms-css.php is a wordpress
> plugin.
>
> The script dies on its first line of code line 7 because function
> load_plugin_textdomain could not be found.

Same conclusion here - we assigned CVE-2008-0560 and disputed it, based on
version 7.3 code.

- Steve


======================================================
Name: CVE-2008-0560
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0560
Acknowledged: no
Announced: 20080131
Flaw: php-include
Reference: BUGTRAQ:20080131 contactforms "cforms-css.php" Remote File Inclusion
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/487347/100/0/threaded
Reference: VIM:20080131 [Fwd: contactforms "cforms-css.php" Remote File Inclusion]
Reference: URL:http://www.attrition.org/pipermail/vim/2008-January/001895.html

** DISPUTED **

PHP remote file inclusion vulnerability in cforms-css.php in Oliver
Seidel cforms (contactforms), a Wordpress plugin, allows remote
attackers to execute arbitrary PHP code via a URL in the tm parameter.
NOTE: CVE disputes this issue for 7.3, since there is no tm parameter,
and the code exits with a fatal error due to a call to an undefined
function.


Analysis:
INCLUSION: Google searches for "contactforms" suggest that this is a
distributable product; see http://www.deliciousdays.com/cforms-plugin

ACCURACY: version 7.3, as downloaded from the vendor site on 20080204,
does not appear to use the tm parameter, at least based on crude grep
searches.  In addition, the first line of cforms-css.php calls
load_plugin_textdomain(), which is undefined, so cforms-css.php would
exit with a fatal error.  Earlier versions were not available.