From 2e8c15d5fc76e2bffc9416c23a069d8baeeac875 Mon Sep 17 00:00:00 2001 From: Alan Brian <36174194+alanbriangh@users.noreply.github.com> Date: Sun, 21 Mar 2021 14:51:13 -0300 Subject: [PATCH 1/6] FIX: Add 2020-35489 detection Add 2020-35489 detection --- cves/2020/CVE-2020-35489.yaml | 116 ++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 cves/2020/CVE-2020-35489.yaml diff --git a/cves/2020/CVE-2020-35489.yaml b/cves/2020/CVE-2020-35489.yaml new file mode 100644 index 00000000000..a85f0dfa06d --- /dev/null +++ b/cves/2020/CVE-2020-35489.yaml @@ -0,0 +1,116 @@ +id: 2020-35489 +info: + name: WordPress Contact Form 7 Plugin - Unrestricted File Upload + author: soyelmago + severity: critical + reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489 + tags: cve,cve2020,wordpress,plugin + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/contact-form-7/readme.txt" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "Contact Form 7" + condition: and + part: body + - type: word + words: + - "2.0.7" + - "2.1" + - "2.1.2" + - "2.2" + - "2.2.1" + - "2.3" + - "2.3.1" + - "2.4" + - "2.4.1" + - "2.4.2" + - "2.4.3" + - "2.4.4" + - "2.4.5" + - "2.4.6" + - "3.0" + - "3.0.1" + - "3.0.2" + - "3.1" + - "3.1.1" + - "3.1.2" + - "3.2" + - "3.3" + - "3.3.1" + - "3.3.2" + - "3.3.3" + - "3.4" + - "3.4.1" + - "3.4.2" + - "3.5" + - "3.5.1" + - "3.5.2" + - "3.5.3" + - "3.5.4" + - "3.6" + - "3.7" + - "3.7.1" + - "3.7.2" + - "3.8" + - "3.8.1" + - "3.9" + - "3.9.1" + - "3.9.2" + - "3.9.3" + - "4.0" + - "4.0.1" + - "4.0.2" + - "4.0.3" + - "4.1" + - "4.1.1" + - "4.1.2" + - "4.2" + - "4.2.1" + - "4.2.2" + - "4.3" + - "4.3.1" + - "4.4" + - "4.4.1" + - "4.4.2" + - "4.5" + - "4.5.1" + - "4.6" + - "4.6.1" + - "4.7" + - "4.8" + - "4.8.1" + - "4.9" + - "4.9.1" + - "4.9.2" + - "5.0" + - "5.0.1" + - "5.0.2" + - "5.0.3" + - "5.0.4" + - "5.0.5" + - "5.1" + - "5.1.1" + - "5.1.2" + - "5.1.4" + - "5.1.5" + - "5.1.6" + - "5.1.7" + - "5.1.8" + - "5.1.9" + - "5.2" + - "5.2.1" + - "5.2.2" + - "5.3" + - "5.3.1" + condition: or + part: body + + From 943080c6bd19c8b5bb22f53e39fe240ceab8ab8a Mon Sep 17 00:00:00 2001 From: Alan Brian <36174194+alanbriangh@users.noreply.github.com> Date: Sun, 21 Mar 2021 14:57:32 -0300 Subject: [PATCH 2/6] FIX: Indentation --- cves/2020/CVE-2020-35489.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/cves/2020/CVE-2020-35489.yaml b/cves/2020/CVE-2020-35489.yaml index a85f0dfa06d..6b3c4b6fe64 100644 --- a/cves/2020/CVE-2020-35489.yaml +++ b/cves/2020/CVE-2020-35489.yaml @@ -5,7 +5,6 @@ info: severity: critical reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489 tags: cve,cve2020,wordpress,plugin - requests: - method: GET path: @@ -112,5 +111,3 @@ requests: - "5.3.1" condition: or part: body - - From f7a508ad1efdee061748ddc14c7ba583a58ec196 Mon Sep 17 00:00:00 2001 From: Alan Brian <36174194+alanbriangh@users.noreply.github.com> Date: Sun, 21 Mar 2021 15:08:38 -0300 Subject: [PATCH 3/6] FIX: Indentation --- cves/2020/CVE-2020-35489.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-35489.yaml b/cves/2020/CVE-2020-35489.yaml index 6b3c4b6fe64..de102f664c2 100644 --- a/cves/2020/CVE-2020-35489.yaml +++ b/cves/2020/CVE-2020-35489.yaml @@ -3,7 +3,8 @@ info: name: WordPress Contact Form 7 Plugin - Unrestricted File Upload author: soyelmago severity: critical - reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489 + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489 tags: cve,cve2020,wordpress,plugin requests: - method: GET From 1f8170332a4e8c37b42e81a514eaa5b9e30b81da Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 22 Mar 2021 01:21:07 +0530 Subject: [PATCH 4/6] Update CVE-2020-35489.yaml --- cves/2020/CVE-2020-35489.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2020/CVE-2020-35489.yaml b/cves/2020/CVE-2020-35489.yaml index de102f664c2..e5e97352db9 100644 --- a/cves/2020/CVE-2020-35489.yaml +++ b/cves/2020/CVE-2020-35489.yaml @@ -1,9 +1,9 @@ id: 2020-35489 info: - name: WordPress Contact Form 7 Plugin - Unrestricted File Upload + name: WordPress Contact Form 7 Plugin - Unrestricted File Upload author: soyelmago severity: critical - reference: + reference: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489 tags: cve,cve2020,wordpress,plugin requests: From 5ae86fcaef055d03728ec603c3cff531dafecb66 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 22 Mar 2021 01:22:38 +0530 Subject: [PATCH 5/6] Update CVE-2020-35489.yaml --- cves/2020/CVE-2020-35489.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/cves/2020/CVE-2020-35489.yaml b/cves/2020/CVE-2020-35489.yaml index e5e97352db9..f4e2bbd5163 100644 --- a/cves/2020/CVE-2020-35489.yaml +++ b/cves/2020/CVE-2020-35489.yaml @@ -1,15 +1,17 @@ -id: 2020-35489 +id: CVE-2020-35489 + info: name: WordPress Contact Form 7 Plugin - Unrestricted File Upload author: soyelmago severity: critical - reference: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489 + reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489 tags: cve,cve2020,wordpress,plugin + requests: - method: GET path: - "{{BaseURL}}/wp-content/plugins/contact-form-7/readme.txt" + matchers-condition: and matchers: - type: status From 904c9666d13785aa25feef32b4e49ad0b03ed5cc Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 25 Mar 2021 01:28:03 +0530 Subject: [PATCH 6/6] matcher and workflow update --- cves/2020/CVE-2020-35489.yaml | 104 +++--------------------------- workflows/wordpress-workflow.yaml | 1 + 2 files changed, 10 insertions(+), 95 deletions(-) diff --git a/cves/2020/CVE-2020-35489.yaml b/cves/2020/CVE-2020-35489.yaml index f4e2bbd5163..38c6fb3ae61 100644 --- a/cves/2020/CVE-2020-35489.yaml +++ b/cves/2020/CVE-2020-35489.yaml @@ -4,8 +4,9 @@ info: name: WordPress Contact Form 7 Plugin - Unrestricted File Upload author: soyelmago severity: critical - reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489 - tags: cve,cve2020,wordpress,plugin + description: The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters. + reference: https://nvd.nist.gov/vuln/detail/CVE-2020-35489 + tags: cve,cve2020,wordpress,wp-plugin requests: - method: GET @@ -17,100 +18,13 @@ requests: - type: status status: - 200 + - type: word words: - "Contact Form 7" - condition: and - part: body - - type: word - words: - - "2.0.7" - - "2.1" - - "2.1.2" - - "2.2" - - "2.2.1" - - "2.3" - - "2.3.1" - - "2.4" - - "2.4.1" - - "2.4.2" - - "2.4.3" - - "2.4.4" - - "2.4.5" - - "2.4.6" - - "3.0" - - "3.0.1" - - "3.0.2" - - "3.1" - - "3.1.1" - - "3.1.2" - - "3.2" - - "3.3" - - "3.3.1" - - "3.3.2" - - "3.3.3" - - "3.4" - - "3.4.1" - - "3.4.2" - - "3.5" - - "3.5.1" - - "3.5.2" - - "3.5.3" - - "3.5.4" - - "3.6" - - "3.7" - - "3.7.1" - - "3.7.2" - - "3.8" - - "3.8.1" - - "3.9" - - "3.9.1" - - "3.9.2" - - "3.9.3" - - "4.0" - - "4.0.1" - - "4.0.2" - - "4.0.3" - - "4.1" - - "4.1.1" - - "4.1.2" - - "4.2" - - "4.2.1" - - "4.2.2" - - "4.3" - - "4.3.1" - - "4.4" - - "4.4.1" - - "4.4.2" - - "4.5" - - "4.5.1" - - "4.6" - - "4.6.1" - - "4.7" - - "4.8" - - "4.8.1" - - "4.9" - - "4.9.1" - - "4.9.2" - - "5.0" - - "5.0.1" - - "5.0.2" - - "5.0.3" - - "5.0.4" - - "5.0.5" - - "5.1" - - "5.1.1" - - "5.1.2" - - "5.1.4" - - "5.1.5" - - "5.1.6" - - "5.1.7" - - "5.1.8" - - "5.1.9" - - "5.2" - - "5.2.1" - - "5.2.2" - - "5.3" - - "5.3.1" - condition: or part: body + + - type: regex + regex: + - '^([0-4]\.|5\.[0-2]\.|5\.3\.[0-1]$)' + part: body \ No newline at end of file diff --git a/workflows/wordpress-workflow.yaml b/workflows/wordpress-workflow.yaml index 615b50315df..32ba1cd0336 100644 --- a/workflows/wordpress-workflow.yaml +++ b/workflows/wordpress-workflow.yaml @@ -26,6 +26,7 @@ workflows: - template: cves/2020/CVE-2020-13700.yaml - template: cves/2020/CVE-2020-14092.yaml - template: cves/2020/CVE-2020-35951.yaml + - template: cves/2020/CVE-2020-35489.yaml - template: vulnerabilities/wordpress/wordpress-auth-bypass-wptimecapsule.yaml - template: vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml - template: vulnerabilities/wordpress/wordpress-total-upkeep-backup-download.yaml