{"id":16599,"date":"2021-07-08T11:17:53","date_gmt":"2021-07-08T09:17:53","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2019-0002\/"},"modified":"2022-02-15T09:20:08","modified_gmt":"2022-02-15T08:20:08","slug":"usd-2019-0002","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2019-0002\/","title":{"rendered":"usd-2019-0002"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n<h1 class=\"h-custom-headline usd-small-letters h2\"><span>usd-2019-0002 | feeling4design Super Forms \u2013 Drag &amp; Drop Form Builder\/1.0.0 \u2013 4.4.8<\/span><\/h1>\n<p><span><\/span><br \/><strong>Advisory ID<\/strong><span>: usd-2019-0002<\/span><br \/><strong>CVE Number<\/strong><span>: N\/A<\/span><br \/><strong>Affected Product<\/strong><span>: Super Forms<\/span><br \/><strong>Affected Version<\/strong><span>: 1.0.0 \u2013 4.4.8<\/span><br \/><strong>Vulnerability Type<\/strong><span>: Path Traversal<\/span><br \/><strong>Security Risk<\/strong><span>: Critical<\/span><br \/><strong>Vendor URL<\/strong><span>:<\/span><br \/><a href=\"https:\/\/github.com\/RensTillmann\/super-forms\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/RensTillmann\/super-forms<\/a><br \/><a href=\"http:\/\/codecanyon.net\/user\/feeling4design\" target=\"_blank\" rel=\"noopener\">http:\/\/codecanyon.net\/user\/feeling4design<\/a><br \/><strong>Vendor Status<\/strong><span>: Not fixed<\/span><\/p>\n<h3><\/h3>\n<h3>Description<\/h3>\n<p><span>The attacker can upload files to arbitrary locations by manipulating the [userid] stored in the session cookie. This vulnerability when combined with the vulnerability \u201eArbitrary File Upload\u201c described in <\/span><a href=\"\/security-advisories\/usd-2019-0003\/\">usd-2019-0003<\/a><span> can lead to Remote Code Execution.<\/span><\/p>\n<p><span><\/span><\/p>\n<h3>Proof of Concept (PoC)<\/h3>\n<div class=\"x-text\">\n<p>The upload of arbitrary file extension was tested on a customers instance of wordpress + super forms.<\/p>\n<p>To reproduce:<br \/>1) Setup wordpress with super forms and create a form containing an upload form<br \/>2) Before submitting this form, set a cookie PHPSESSID to the path relative to the upload directory, e.g. PHPSESSID=..\/<\/p>\n<p>As a consequence, we used the generation of the [userid] for the subfolder to upload the file to a different path. The source code in \/uploads\/php\/UploadHandler.php:<\/p>\n<\/div>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]protected function get_user_id() {<br \/>\n@session_start();<br \/>\nreturn session_id();<br \/>\n}<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n<p>The session_id() can be changed by the PHPSESSID cookie. We set it to value ..\/ which changes the upload path to: uploads\/php.<\/p>\n<p>File execution:<br \/>Usually, the uploaded files were copied to a subfolder with a random [userid] on the server: wpcontent\/plugins\/super-forms\/uploads\/php\/files\/[userid]\/[filename]. In the folder php\/files\/ there is a .htaccess file that denies the execution of php files:<\/p>\n<p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd-2019-0002-codesnippet1.png\" title_text=\"usd-2019-0002-codesnippet1\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||26px||false|false\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]<\/p>\n<div class=\"e11843-12 x-container max width\">\n<div class=\"e11843-13 x-column x-sm x-1-1\">\n<div class=\"x-text\">\n<p>Since the directory uploads\/php is not restricted in php code execution by the mentioned .htaccess file, a php reverse shell is possible.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"e11843-20 x-container max width\">\n<div class=\"e11843-21 x-column x-sm x-1-1\"><\/div>\n<\/div>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n<div class=\"e16902-22 x-container max width\">\n<div class=\"e16902-23 x-column x-sm x-1-1\">\n<h3>Fix<\/h3>\n<p><i>Disclaimer<\/i><br \/>The suggested fix is just a temporary workaround and not a final fix that ensures the full security of this wordpress plugin. It is intended to support the developers to close this vulnerability.<\/p>\n<p>The vulnerabilities we found are not yet fixed by the latest version of this plugin. One option is to turn it off.<\/p>\n<p>Another option is to apply the following temporary fixes:<br \/>In \/uploads\/php\/UploadHandler.php replace the function get_user_id() to return a value an attacker cannot tamper with.<\/p>\n<h3><\/h3>\n<h3>Timeline<\/h3>\n<ul>\n<li>2019-01-25 First Contact request via contact form to: https:\/\/codecanyon.net\/item\/super-forms-drag-drop-form-builder\/13979866\/support<\/li>\n<li>2019-02-05 Vendor releases version 4.5.3 with a supposed fix. We could still exploit the vulnerability. (related: Changelog on https:\/\/codecanyon.net\/item\/super-forms-drag-drop-form-builder\/13979866)<\/li>\n<li>2019-07-31 Security advisory released<\/li>\n<\/ul>\n<h3><\/h3>\n<h3>Credits<\/h3>\n<p><span>This security vulnerabilities were found by Tim Kranz and Matthias G\u00f6hring of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2019-0002 | feeling4design Super Forms \u2013 Drag &amp; Drop Form Builder\/1.0.0 \u2013 4.4.8 Advisory ID: usd-2019-0002CVE Number: N\/AAffected Product: Super FormsAffected Version: 1.0.0 \u2013 4.4.8Vulnerability Type: Path TraversalSecurity Risk: CriticalVendor URL:https:\/\/github.com\/RensTillmann\/super-formshttp:\/\/codecanyon.net\/user\/feeling4designVendor Status: Not fixed Description The attacker can upload files to arbitrary locations by manipulating the [userid] stored in the session cookie. This vulnerability when [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16599","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16599","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16599"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16599\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16599"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}