search

formtools / core

The Form Tools Core.
https://formtools.org
207 stars 78 forks source link

Security Issues in the 3.1.1 version #932

Open cupc4k3 opened 9 months ago

cupc4k3 commented 9 months ago

I have identified security vulnerabilities in version 3.1.1. These vulnerabilities include Cross-Site Scripting (XSS) - both Stored and Reflected, SQL Injection, CSRF, and Server-Side Template Injection (SSTI). All these vulnerabilities are exploitable in an authenticated state.

Cross Site Scripting XSS - Stored

Stored Cross-Site Scripting (XSS) is a security vulnerability commonly found in web applications. It allows attackers to inject malicious scripts into web pages viewed by other users. This malicious code is stored on the server, such as in a database, and is then retrieved and displayed to users. Stored XSS attacks can lead to the theft of cookies, session tokens, or other sensitive information belonging to the victim. Unlike reflected XSS, which requires tricking a user into clicking a link, stored XSS does not require any action from the victim.

Steps to Reproduce:

  1. Log in to the application with a user without administrative permissions.
  2. Navigate to account > login info.
  3. Save the payload in the "First Name" field: .
  4. Log in as an administrator and click on "clients."
  5. Payload successfully executed.

Affected Pages POST /admin/clients/edit.php

Images

image

image

Remediation
Implement strict input validation: Ensure all user inputs are validated for type, length, format, and range.
Sanitize inputs: Use server-side input sanitization to remove or neutralize potentially harmful characters in inputs used in web pages.
Escape output: Ensure that any data dynamically included in HTML is properly escaped to prevent it from being interpreted as executable code.

SQL Injection

A SQL injection (SQLi) vulnerability occurs when an attacker manipulates input data to execute unauthorized SQL queries on a database. This exploit can lead to unauthorized access, data manipulation, or even deletion.

Steps to Reproduce:

  1. Log in as an administrator.
  2. Go to the "clients" tab.
  3. In the "search clients" field, we can exploit the vulnerability in parameter "keywords".

The variable $string, which contains the value of the keyword parameter, is directly incorporated into the SQL clause without being properly sanitized or handled. This practice creates an opening for SQL injection attacks, where a malicious attacker can manipulate the value of $string to execute unauthorized SQL commands.

image

To validate the vulnerability, I used the following payload for a time based blind: SLEEP(2)/' or SLEEP(2) or '" or SLEEP(2) or "/

Explanation of the payload:

SLEEP(2): This is an SQL function causing the SQL query to pause execution for 2 seconds. It is employed to intentionally introduce a delay and assess whether the application is susceptible to time-based SQL injection.

/' or SLEEP(2) or '" or SLEEP(2) or "/: This payload attempts to exploit the SQL injection vulnerability. The / initiates a comment in SQL, and everything following it until / is treated as a comment, disregarded by the database.

The objective of this payload is to ascertain if the application is vulnerable to time-based SQL injection. If successful, the SQL query will be manipulated to introduce a 2-second delay. In the attached screenshot, it is evident that the application delayed the response by 8 seconds, confirming the successful exploitation of the SQL injection vulnerability.

image

Cross Site Scripting XSS - Reflected

Reflected Cross-Site Scripting (XSS) unlike Stored XSS, Reflected XSS involves injecting malicious scripts that are immediately reflected in the user's browser. Typically, attackers craft links containing the malicious code, and users unknowingly execute the script by clicking on the manipulated link. Reflected XSS poses a risk of stealing sensitive information, such as cookies or session tokens, without requiring the victim to take any additional action.

Steps to Reproduce:
1.Log in as an administrator.
2.Go to the "clients" tab.
3.Edit any user.
4.Insert the payload: alert('XSS') into the client_id parameter.

Affected Pages

  1. /admin/clients/edit.php?client_id=

Images

image

Remediation
Implement strict input validation: Ensure all user inputs are validated for type, length, format, and range.
Sanitize inputs: Use server-side input sanitization to remove or neutralize potentially harmful characters in inputs used in web pages.
Escape output: Ensure that any data dynamically included in HTML is properly escaped to prevent it from being interpreted as executable code.

Cross-site Request Forgery (CSRF)

CSRF (Cross-Site Request Forgery) is a security vulnerability where an attacker tricks a user's browser into unknowingly submitting a request on a trusted site. By exploiting the user's authenticated session, the attacker can perform unauthorized actions on the user's behalf.

Steps to Reproduce:
1.Log in as an administrator. 2.Go to the "clients" tab.
3.Edit any user.

I clicked on ‘update’ to analyze the POST request and identified that it is vulnerable to a CSRF (Cross-Site Request Forgery) attack since it doesn’t require a valid CSRF token to process the request. A CSRF token is a security measure used to prevent unauthorized requests from being sent to a website on behalf of a user. Without a valid CSRF token requirement, the application is exposed to such attacks, allowing an attacker to forge a request that the application will process without a valid CSRF token.

image

Demonstrating the Impact of CSRF:
An attacker, depending on the scenario and available information, could construct a link and send it to other users. In the example below, I altered the administrator’s data, including name, email, and password, while keeping the username as ‘admin’.

image

Logged in as the administrator in the system:
After the admin accessed the sent link, the request was resent, and the administrator’s data was successfully altered.

Affected Pages
POST /admin/clients/edit.php

Remediation
To tackle CSRF vulnerabilities, make sure to integrate anti-CSRF tokens into the codebase. Verify that all user actions, especially those influencing state changes, are guarded against potential malicious manipulation. This is a crucial step to bolster the system's security.

Server-side template injection (SSTI)

Server-Side Template Injection (SSTI) is a vulnerability where attackers inject malicious code into a server's templates, leading to the execution of unauthorized commands. Exploiting SSTI can result in significant security breaches, as it allows manipulation of server-side processes.

Steps to Reproduce:
1.Log in as administrator.
2.Go to Forms > Add Form.
3.Navigate to Views and click on Add New Group.
4.In the group Name, enter {{exec('id')}} and click on create group.
5.Afterward, click on update and observe that the id command response was successfully executed on the server.

Affected Pages
POST /admin/forms/edit/index.php

Images

image

image

image

mmelon commented 8 months ago

thx for reporting these. I am going to attempt to fix my own install using the hooks module. It lets you inject PHP at lots of stages. Before client update and after client update being 2 examples. I should be able to use it to sainitise the input whilst not breaking compatibility with future upgrades.