Summary
Due to a broken access control vulnerability in the /admin/pages/{page_name} endpoint, an editor ( user with full permissions to pages ) can change the functionality of a form after submission.
Details
Due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities.
PoC
-
Have Admin and Form plugins installed
-
Connect to panel as admin, create user and give him permission for pages all
-
Now connect as that user and notice you cant edit any process field in the panel
-
Change anything in the content of the form and save
-
Intercept the request:
-
Now modify the field `data[_json][header][form] with the following payload URL-encoded not like this:
{"name":"ssti-test 2","fields":{"name":{"type":"text","label":"Name","required":true}},"buttons":{"submit":{"type":"submit","value":"Submit"}},"process":[{"message":"{{ evaluate_twig(form.value('name')) }}"}]}
- Change the field and forward it:
Request goes through and changes have been made to the form.
Impact
- Attacker can modify submission logic of the form which leads to changing redirect value, email sending, changing template, breaking out of the Twig sandbox potentially executing code...
Fix recommendation
- Implement proper authorization checks to such requests especially when it contains fields user shouldn't be able to modify based on his role.
Miggo AI