Gravity Forms 1.8 <= 1.9.3.5 - Authenticated Blind SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Title: Gravity Forms 1.8 <= 1.9.3.5 - Blind SQL Injection CVE-2015-2260

Version/s Tested: 1.9.3.1

Description:
Gravity Forms is one of the most popular WordPress plugins (gravityforms) used to create forms for WordPress sites. The latest version at the time of writing (1.9.3.5) contains an authenticated (admin, or user with gravityforms_edit_forms capability) Blind SQL Injection vulnerability. The plugin is one of the most popular plugins for the WordPress platform.

Technical Description: 
The authenticated Blind SQL Injection vulnerability can be found within the 'form_list.php' and ‘forms_model’ files. The sort_column GET parameter is not sufficiently sanitised before being used within an SQL query.

form_list.php line 106:
$sort_column = empty( $_GET['sort'] ) ? 'title' : $_GET['sort'];

form_list.php line 111:
$forms = RGFormsModel::get_forms( $active, $sort_column, $sort_direction, $trash );

forms_model.php line 106:
$sort_column  = ESC_SQL( $sort_column );
$order_by     = ! empty( $sort_column ) ? "ORDER BY $sort_column $sort_keyword" : '';
$sql = "SELECT f.id, f.title, f.date_created, f.is_active, 0 as lead_count, 0 view_count FROM $form_table_name f $where_clause $order_by";

According to WordPress this function 'Prepares a string for use as an SQL query. A glorified addslashes() that works with arrays.'. However, this is not sufficient to prevent SQL Injection as can be seen from the Proof of Concept.

Proof of Concept (PoC)

The following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin or other user with gravityforms_edit_forms capability.

http://localhost/wp-admin/admin.php?page=gf_edit_forms&sort=date_created%2c(select%20*%20from%20(select(sleep(10)))a)

Impact:
The original impact has been amended after further research by Ryan Dewhurst. Due to WordPress using X-Frame-Options and PHP/MySQL not supporting stacked queries, it is not currently possible to exploit this vulnerability by a remote attacker via CSRF. A reliable cross-domain timing attack using a GET request which does not rely on frames would be required to exploit this issue.

Fix for 1.8 branch:
After form_list.php line 106:
$sort_column    = empty( $_GET['sort'] ) ? 'title' : $_GET['sort'];

Add:
if ( ! in_array( strtolower( $sort_column ), array( 'id', 'title', 'date_created', 'is_active', 'is_trash' ) ) ) {
  $sort_column = 'title';
}


Timeline:
March 13th: 2030 CST: Vulnerability Discovered by Scott Kingsley Clark (10up.com) and vendor notified.
March 13th 2300 GMT-5: Review, exploit and temporary patch written by Ivan Kruchkoff (10up.com).
March 14th: Vendor releases 1.9.3.6
March 17th: Advisory released.

Credits:
Ryan Dewhurst (WPScan Team - Dewhurst Security) for PoC / writeup of WP SEO exploit: CVE-2015-2292, CVE-2015-2293 

Affects

Plugin gravityforms
fixed in version 1.9.3.6

References

URL http://www.gravityforms.com/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Ivan Kruchkoff
Submitter Website http://10up.com/
Views 2027
Verified No
WPVDB ID 7849

Timeline

Publicly Published 2015-03-17 (over 1 year ago)
Added 2015-03-17 (over 1 year ago)
Last Updated 2015-12-14 (12 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.