Unrestricted Upload of File with Dangerous Type in pimcore/pimcore

Valid

Reported on

Oct 23rd 2021


Description

I found unrestricted file upload, to force an image parser to allocate a large volume of memory based on the image headers large file in profile picture, 4250x64250 pixels whole image into memory, it tries to allocate 4128062500 pixels into memory, flooding the memory and causing DoS.

Proof of Concept

location parameter profile image https://drive.google.com/file/d/18bXWqNYRNds4s7fSpk6NTdNHGrwvjMTj/view?usp=sharing

lottapixel.jpg attacking https://drive.google.com/file/d/1uDrxBzWLgUNjD2smG0PmrPhOMOFc_lmJ/view?usp=sharing

testcartoon.jpg normal image https://drive.google.com/file/d/1s7KbAb1bQ-ntg8cC5oAu6QwTIB2O7vsO/view?usp=sharing

poc attack https://drive.google.com/file/d/1YF3ctGtPWKCUSIYuuorXGMQimHM4HTsg/view?usp=sharing

Fix

As a patch I would just set a maximum amount of pixels an image can have.

Impact

This vulnerability is capable allocate a large volume of memory, flooding the memory and causing DoS.

We have contacted a member of the pimcore team and are waiting to hear back a month ago
We have contacted a member of the pimcore team and are waiting to hear back a month ago
We have contacted a member of the pimcore team and are waiting to hear back a month ago
Bernhard Rusch validated this vulnerability a month ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bernhard Rusch confirmed that a fix has been merged on 007cf7 a month ago
Bernhard Rusch has been awarded the fix bounty