------------------------------------------------------------------------ Multiple blind SQL injection vulnerabilities in FormBuilder WordPress Plugin ------------------------------------------------------------------------ Burak Kelebek, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ Multiple blind SQL injection vulnerabilities were found in the FormBuilder WordPress Plugin. This allows an attacker, granted he has Author or higher privileges, to extract arbitrary data (eg the Administrator's password hash) from the WordPress database. Since there is no CSRF protection in place, an attacker could also lure an logged-in Author to perform malicious SQL commands on the database. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160724-0008 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on FormBuilder [2] version 1.05. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in FormBuilder version 1.08 [3]. ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ The FormBuilder Plugin for WordPress allows you to build contact forms in the WordPress administrative interface without needing to know PHP or HTML. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ It was discovered that FormBuilder is affected by multiple blind SQL injection vulnerabilities. Using these issues it is possible for a logged on Author (or higher privileges) to extract arbitrary data (eg, the Administrator's password hash) from the WordPress database. Since there is no CSRF protection in place, an attacker could also lure an logged-in Author to perform malicious SQL commands on the database. The vulnerabilities exist in the following functions: - formbuilder_options_exportForm - formbuilder_options_removeForm - formbuilder_options_editForm The "fbid" parameter used in the above functions can be supplied by the user and is appended to the WHERE clause as "form_id" directly without performing any sanitization or escaping. Example 1: formbuilder/php/formbuilder_admin_functions.php case "exportForm": formbuilder_options_exportForm($_GET['fbid']); formbuilder/php/formbuilder_admin_pages.inc.php function formbuilder_options_exportForm($form_id) { [..] /* * Load the form fields from the database. */ $sql = "SELECT * FROM " . FORMBUILDER_TABLE_FORMS . " WHERE id = '$form_id' LIMIT 0,1;"; $results = $wpdb->get_results($sql, ARRAY_A); $form = $results[0]; $sql = "SELECT * FROM " . FORMBUILDER_TABLE_FIELDS . " WHERE form_id = $form_id ORDER BY display_order ASC;"; $fields = $wpdb->get_results($sql, ARRAY_A); ------------------------------------------------------------------------ Proof of concept ------------------------------------------------------------------------ http:///wp-admin/tools.php?page=formbuilder.php&fbtag&pageNumber&fbaction=exportForm&fbid=1 AND (SELECT * FROM (SELECT(SLEEP(5)))WSdS) ------------------------------------------------------------------------ References ------------------------------------------------------------------------ [1] https://sumofpwn.nl/advisory/2016/multiple_blind_sql_injection_vulnerabilities_in_formbuilder_wordpress_plugin.html [2] https://wordpress.org/plugins/formbuilder/ [3] https://downloads.wordpress.org/plugin/formbuilder.1.08.zip