Unrestricted Upload of File with Dangerous Type in pimcore/pimcore

Valid

Reported on

Oct 23rd 2021


Description

I found unrestricted file upload, to force an image parser to allocate a large volume of memory based on the image headers large file in profile picture, 4250x64250 pixels whole image into memory, it tries to allocate 4128062500 pixels into memory, flooding the memory and causing DoS.

Proof of Concept

location parameter profile image https://drive.google.com/file/d/18bXWqNYRNds4s7fSpk6NTdNHGrwvjMTj/view?usp=sharing

lottapixel.jpg attacking https://drive.google.com/file/d/1uDrxBzWLgUNjD2smG0PmrPhOMOFc_lmJ/view?usp=sharing

testcartoon.jpg normal image https://drive.google.com/file/d/1s7KbAb1bQ-ntg8cC5oAu6QwTIB2O7vsO/view?usp=sharing

poc attack https://drive.google.com/file/d/1YF3ctGtPWKCUSIYuuorXGMQimHM4HTsg/view?usp=sharing

Fix

As a patch I would just set a maximum amount of pixels an image can have.

Impact

This vulnerability is capable allocate a large volume of memory, flooding the memory and causing DoS.

We have contacted a member of the pimcore team and are waiting to hear back a year ago
Bernhard Rusch validated this vulnerability a year ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bernhard Rusch confirmed that a fix has been merged on 007cf7 a year ago
Bernhard Rusch has been awarded the fix bounty
to join this conversation