CMS MADE SIMPLE FORGE

Form Builder

 
Back Back to List

[#11915] XSS vulnerability on all form fields

avatar
Created By: Thomas Feyrer (dante)
Date Submitted: Mon Oct 22 15:58:36 -0400 2018

Assigned To: Fernando Morgado (JoMorg)
Version: 0.8.1.6
CMSMS Version: 1.11.12
Severity: Critical
Resolution: Fixed
State: Closed
Summary:
XSS vulnerability on all form fields
Detailed Description:
There's a big XSS vulnerability in FormBuilder starting with Version 0.8.1!

The values are passed unfiltered if form fields get displayed again (i.e.
because of missing required fields).

Just past the following code in any text field and leave at least one required
field emtpy.
"><div style="color:red;">XSS-Attack!</div><input name="


I checked the code and starting with Version 0.8.1 the values submitted to
fbCreateInputText() (FormBuilder.module.php) where escaped by htmlspecialchars
right in GetFieldInput() (i.e. classes\TextField.class.php). Because of this,
the escaping in fbCreateInputText() resulted in double escaped input, which
would display &quot; etc. in the input fields. To correct this, all input fields
then got filtered by unmy_htmlentities() which removes the escapings.

My FAST (not clean) bugfix is changing line 922 in FormBuilder.module.php from:
    $value = cms_htmlentities($value);
to:
    $value = cms_htmlentities(formbuilder_utils::htmlentities($value));

and commenting out the lines 855 to 873 in classes\Form.class.php


History

Comments
avatar 
Date: 2020-09-08 11:08
Posted By: Fernando Morgado (JoMorg)

Fixed in SVN for 1.1. Thanks;
avatar 
Date: 2020-09-10 12:51
Posted By: Rolf (rolf1)

FormBuilder 1.1 is released
Updates

Updated: 2020-09-10 12:51
state: Open => Closed

Updated: 2020-09-08 11:11
resolution_id: 5 => 7

Updated: 2020-09-08 11:08
resolution_id: => 5
assigned_to_id: 100 => 12532