Advisory

Burak Kelebek, July 2016

Multiple blind SQL injection vulnerabilities in FormBuilder WordPress Plugin

Abstract

Multiple blind SQL injection vulnerabilities were found in the FormBuilder WordPress Plugin. This allows an attacker, granted he has Author or higher privileges, to extract arbitrary data (eg the Administrator's password hash) from the WordPress database. Since there is no CSRF protection in place, an attacker could also lure an logged-in Author to perform malicious SQL commands on the database.

OVE ID

OVE-20160724-0008

Tested versions

This issue was successfully tested on FormBuilder version 1.05.

Fix

This issue is resolved in FormBuilder version 1.08.

Introduction

The FormBuilder Plugin for WordPress allows you to build contact forms in the WordPress administrative interface without needing to know PHP or HTML.

Details

It was discovered that FormBuilder is affected by multiple blind SQL injection vulnerabilities. Using these issues it is possible for a logged on Author (or higher privileges) to extract arbitrary data (eg, the Administrator's password hash) from the WordPress database. Since there is no CSRF protection in place, an attacker could also lure an logged-in Author to perform malicious SQL commands on the database.

The vulnerabilities exist in the following functions:
- formbuilder_options_exportForm
- formbuilder_options_removeForm
- formbuilder_options_editForm

The "fbid" parameter used in the above functions can be supplied by the user and is appended to the WHERE clause as "form_id" directly without performing any sanitization or escaping.

Example 1:

formbuilder/php/formbuilder_admin_functions.php
case "exportForm":
formbuilder_options_exportForm($_GET['fbid']);


formbuilder/php/formbuilder_admin_pages.inc.php
function formbuilder_options_exportForm($form_id)
   {
      [..]
      
      /*
       * Load the form fields from the database.
      */
      $sql = "SELECT * FROM " . FORMBUILDER_TABLE_FORMS . " WHERE id = '$form_id' LIMIT 0,1;";
      $results = $wpdb->get_results($sql, ARRAY_A);
      $form = $results[0];
      
      $sql = "SELECT * FROM " . FORMBUILDER_TABLE_FIELDS . " WHERE form_id = $form_id ORDER BY display_order ASC;";
      $fields = $wpdb->get_results($sql, ARRAY_A);

Proof of concept

http://<target>/wp-admin/tools.php?page=formbuilder.php&fbtag&pageNumber&fbaction=exportForm&fbid=1 AND (SELECT * FROM (SELECT(SLEEP(5)))WSdS)

Work with us →