Recently, a security vulnerability was discovered in BestWebSoft Contact Form 3.21, which can potentially lead to cross-site request forgery (CSRF) issues. This vulnerability specifically affects the cntctfrm_settings_page function located within the contact_form.php file. It has been classified as problematic and needs to be addressed immediately.

Exploit Details:

The manipulation of the function indirectly leads to CSRF attacks, putting the security of user information at risk. The vulnerability can be exploited remotely, making it an even more critical issue to resolve.

Here is a snippet of the code where the vulnerability occurs

function cntctfrm_settings_page() {
  global $cntctfrm_options;
  
  if ( isset( $_REQUEST['page'] ) && 'contact_form.php' == $_REQUEST['page'] ) {
    if ( isset( $_REQUEST['action'] ) && 'cntctfrm_settings' == $_REQUEST['action'] ) {
      // Perform CSRF validation here
      // ...
    }
  }
  // Continue with the rest of the file ...
}

1. CVE-2012-10010
2. VDB-225321 (Vulnerability identifier)

Solution:

Upgrading BestWebSoft Contact Form to version 3.22 will effectively resolve this vulnerability. The patch for this issue is named 8398d96fffe45ec9267d7259961c2ef89ed8005.

Backup your existing contact form data, if necessary.

2. Download the latest version (3.22) of BestWebSoft Contact Form from the official website or repository.

Follow the instructions provided by BestWebSoft to perform the upgrade.

4. Verify that the vulnerability has been addressed by checking the cntctfrm_settings_page function in the contact_form.php file.

In conclusion, it is highly recommended for users running BestWebSoft Contact Form 3.21 to upgrade to the latest version to protect their data from CSRF attacks.

Timeline

Published on: 04/09/2023 06:15:00 UTC
Last modified on: 04/18/2023 01:07:00 UTC