For feedback or questions about this advisory mail us at sumofpwn at securify.nl
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
This issue was successfully tested on FormBuilder version 1.05.
This issue is resolved in FormBuilder version 1.06.
The vulnerability lies in a piece of code in the file html/options_default.inc.php. Here, on line 35-40, the following form class is created:
35: <form class='formSearch' name="formSearch" method="GET" action="<?php echo FB_ADMIN_PLUGIN_PATH; ?>">
36: <input name='page' type="hidden" value="<?php echo $_GET['page']; ?>" />
37: <input name='pageNumber' type="hidden" value="<?php echo $_GET['pageNumber']; ?>" />
38: <input name='formSearch' type="text" size="10" value="<?php echo $formSearch; ?>" />
39: <input class='searchButton' name='Search' type="submit" value="Search" />
This form has two input fields which are populated with data directly from a GET parameter, which is not sanitized beforehand. These are $_GET['page’] and $_GET['pageNumber’]. While supplying a malicious payload to the $_GET[‘pageNumber’] parameter causes the application to just throw an error, supplying it to the $_GET[‘page’] parameter will cause it to be executed.
The following URL causes an alert box to spawn, which, while not dangerous in and of itself, is an easy way to prove that it is vulnerable.