We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Unrestricted Upload of File with Dangerous Type in pimcore/pimcore

Valid

Reported on

Oct 23rd 2021

Description

I found unrestricted file upload, to force an image parser to allocate a large volume of memory based on the image headers large file in profile picture, 4250x64250 pixels whole image into memory, it tries to allocate 4128062500 pixels into memory, flooding the memory and causing DoS.

Proof of Concept

location parameter profile image https://drive.google.com/file/d/18bXWqNYRNds4s7fSpk6NTdNHGrwvjMTj/view?usp=sharing

lottapixel.jpg attacking https://drive.google.com/file/d/1uDrxBzWLgUNjD2smG0PmrPhOMOFc_lmJ/view?usp=sharing

testcartoon.jpg normal image https://drive.google.com/file/d/1s7KbAb1bQ-ntg8cC5oAu6QwTIB2O7vsO/view?usp=sharing

poc attack https://drive.google.com/file/d/1YF3ctGtPWKCUSIYuuorXGMQimHM4HTsg/view?usp=sharing

Fix

As a patch I would just set a maximum amount of pixels an image can have.

Impact

This vulnerability is capable allocate a large volume of memory, flooding the memory and causing DoS.

We have contacted a member of the pimcore team and are waiting to hear back 2 years ago
Bernhard Rusch validated this vulnerability 2 years ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bernhard Rusch marked this as fixed with commit 007cf7 2 years ago
Bernhard Rusch has been awarded the fix bounty
This vulnerability will not receive a CVE
UserController.php#L474-L1024 has been validated
to join this conversation