CVE-2016-9492 - OpenCVE

The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to unrestricted upload of dangerous file types. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Jqueryform	Php Formmail Generator

Configuration 1 [-]

cpe:2.3:a:jqueryform:php_formmail_generator:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/96718	Third Party Advisory VDB Entry
https://www.kb.cert.org/vuls/id/608591	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: certcc

Published: 2018-07-13T20:00:00

Updated: 2018-07-14T09:57:01

Reserved: 2016-11-21T00:00:00

Link: CVE-2016-9492

JSON object: View

NVD Information

Status : Modified

Published: 2018-07-13T20:29:01.643

Modified: 2019-10-09T23:20:32.070

Link: CVE-2016-9492

JSON object: View

Redhat Information

No data.

CWE

CWE-434

{"containers": {"cna": {"affected": [{"product": "Generator", "vendor": "PHP FormMail", "versions": [{"lessThan": "17/12/2016", "status": "affected", "version": "17/12/2016", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Thanks to Ibram Marzouk for reporting this vulnerability."}], "datePublic": "2017-03-07T00:00:00", "descriptions": [{"lang": "en", "value": "The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to unrestricted upload of dangerous file types. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-07-14T09:57:01", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"name": "96718", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/96718"}, {"name": "VU#608591", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "https://www.kb.cert.org/vuls/id/608591"}], "source": {"discovery": "UNKNOWN"}, "title": "PHP forms generated using the PHP FormMail Generator are vulnerable to unrestricted upload of dangerous file types", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2016-9492", "STATE": "PUBLIC", "TITLE": "PHP forms generated using the PHP FormMail Generator are vulnerable to unrestricted upload of dangerous file types"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Generator", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "17/12/2016", "version_value": "17/12/2016"}]}}]}, "vendor_name": "PHP FormMail"}]}}, "credit": [{"lang": "eng", "value": "Thanks to Ibram Marzouk for reporting this vulnerability."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to unrestricted upload of dangerous file types. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-434"}]}]}, "references": {"reference_data": [{"name": "96718", "refsource": "BID", "url": "http://www.securityfocus.com/bid/96718"}, {"name": "VU#608591", "refsource": "CERT-VN", "url": "https://www.kb.cert.org/vuls/id/608591"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2016-9492", "datePublished": "2018-07-13T20:00:00", "dateReserved": "2016-11-21T00:00:00", "dateUpdated": "2018-07-14T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jqueryform:php_formmail_generator:*:*:*:*:*:*:*:*", "matchCriteriaId": "083C5DB4-DAF1-435B-A03B-3B3F43A23A9B", "versionEndExcluding": "2016-12-17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to unrestricted upload of dangerous file types. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename."}, {"lang": "es", "value": "El c\u00f3digo generado por PHP FormMail Generator en versiones anteriores al 17 de diciembre de 2016 es vulnerable a la subida sin restricci\u00f3n de tipos de archivo peligrosos. En el archivo form.lib.php generado, los tipos de archivo de subida se comprueban contra una lista embebida de extensiones peligrosas. Esta lista no incluye todas las variaciones de archivos PHP, lo que puede conducir a la ejecuci\u00f3n del c\u00f3digo PHP contenido si el atacante puede adivinar el nombre de archivo subido. Por defecto, el formulario anexa una cadena aleatoria al fina del nombre de archivo."}], "id": "CVE-2016-9492", "lastModified": "2019-10-09T23:20:32.070", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-13T20:29:01.643", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/96718"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/608591"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-434"}], "source": "cret@cert.org", "type": "Secondary"}]}