CGI Command Execution Vulnerability in POST HTTP Method

Hi,

A site we run recently was flagged by SiteLock as having a an issue with sanitized request strings, and they pointed directly at our contact form 7 plugin form. The form is Get A Quote, which submit basic contact info so a representative can get in touch with the a sales rep.

The message was this:

Synopsis: It may be possible to run arbitrary code on the remote web server.

Description: The remote web server hosts CGI scripts that fail to adequately sanitize request strings. Be leveraging this issue, an attacker may be able to execute arbitrary commands on the remote host.
Not that this script uses a time-based method which is less reliable than the basic method

Solution: Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Technical Details: Using the POST HTTP method, Sitelock App Scan found that: + The following resources may be vulnerable to arbitrary command execution (time based) :+ The ‘City’ parameter of the /get-a-quote[your-email=&comments=&_wpcf7=671&besttime=&State=&+wpcf7_captcha_challenge_SecurityCode=2144197497&TypeofCoverage[]=Home&_wpcf7_unit_tag=wpcf7-f671=p79-o1&PhoneNumber=&Zipcode=&_wpnonce=d06d5c35f9&Address=&_wpcf7_local=SecurityCode=&_wpcf7_version=4.0.2&&your-name=&City=x%20%7C%7C%20ping%20-n%203%20127.0.0.1%20%26]————————output——————————–

So from what I could tell by their alert, and warning that the issues needed to be addressed within 72 hours, is that were able to execute a command line ping using the city field in the contact form.

When I checked the plugin, it needed an update, and I updated it to the current version 4.0.3. I didn’t check prior to see what version I had, so I’m thinking I had a version less then 4.0.2, which looks like you guys added a security update then. Can you confirm this for me? Does this make sense to you guys, or is it possible 4.0.2 had this security issue?

Thank you,
David

https://www.ads-software.com/plugins/contact-form-7/