------------------------------------------------------------------------
Cross-Site Scripting in FormBuilder WordPress Plugin
------------------------------------------------------------------------
Peter Ganzevles, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Reflected Cross-Site Scripting (XSS) vulnerability has been found in
the FormBuilder WordPress Plugin. By using this vulnerability an
attacker can inject malicious JavaScript code into the application,
which will execute within the browser of any logged-in admin.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0007

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on FormBuilder [2] version 1.05.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in FormBuilder version 1.06 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The FormBuilder [2] Plugin for WordPress allows you to build contact
forms in the WordPress administrative interface without needing to know
PHP or HTML. A Reflected Cross-Site Scripting (XSS) vulnerability has
been found in the FormBuilder WordPress Plugin. By using this
vulnerability an attacker can inject malicious JavaScript code into the
application, which will execute within the browser of any logged-in
admin who views the link in the proof of concept below.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The FormBuilder plugin is vulnerable to a Reflected Cross Site Scripting
attack in the main page. This means that an attacker can craft a link,
such as the one below, which will inject malicious javascript in the
page of any admin visiting it.

The vulnerability lies in a piece of code in the file
html/options_default.inc.php. Here, on line 35-40, the following form
class is created:

35: <form class='formSearch' name="formSearch" method="GET"
action="<?php echo FB_ADMIN_PLUGIN_PATH; ?>">
36: 	<input name='page' type="hidden" value="<?php echo $_GET['page'];
?>" />
37: 	<input name='pageNumber' type="hidden" value="<?php echo
$_GET['pageNumber']; ?>" />
38: 	<input name='formSearch' type="text" size="10" value="<?php echo
$formSearch; ?>" />
39: 	<input class='searchButton' name='Search' type="submit"
value="Search" />
40: </form>

This form has two input fields which are populated with data directly
from a GET parameter, which is not sanitized beforehand. These are
$_GET['page’] and $_GET['pageNumber’]. While supplying a malicious
payload to the $_GET[‘pageNumber’] parameter causes the application
to just throw an error, supplying it to the $_GET[‘page’] parameter
will cause it to be executed.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The following URL causes an alert box to spawn, which, while not
dangerous in and of itself, is an easy way to prove that it is
vulnerable.

http://<target>/wp-admin/tools.php?page=formbuilder.php&pageNumber=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&formSearch=test&Search=Search
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_formbuilder_wordpress_plugin.html
[2] https://wordpress.org/plugins/formbuilder/
[3] https://downloads.wordpress.org/plugin/formbuilder.1.06.zip