SQL injection in some Admin Sort functions in pimcore/pimcore
Reported on
May 26th 2023
Description
SQL injection due to unsanitized concatenating strings into ORDER BY clause, 'sort' parameter
Proof of Concept
Log in as an admin, go to Admin Translations or Application Logger functions, and perform a sort action
Observer the request on Burpsuite and injection point is the 'sort' parameter
POC request that makes the application sleep for 5 seconds (Translations function)
payload: %5b%7b%22property%22%3a%22key%3b%20select%20sleep(5)--%20-%22%2c%22direction%22%3a%22ASC%22%7d%5d
POC request that makes the application sleep for 10 seconds (Application Logger function)
payload: %5b%7b%22property%22%3a%22timestamp%3b%20select%20sleep(5)--%20-%22%2c%22direction%22%3a%22DESC%22%7d%5d
POC request that makes the application sleep for 5 seconds (GPDR Data Extractor function)
payload: %5b%7b%22property%22%3a%22id%3b%20select%20sleep(5)--%20-%22%2c%22direction%22%3a%22ASC%22%7d%5d
Impact
Using some SQL exploitation tools such as sqlmap, an attacker can enumerate all information in the database, alter data or perform dos on the backend database.
Occurrences
Thank you @hiu240900! We made some improvment on the reported places by https://github.com/pimcore/pimcore/pull/15303 and released in 10.5.24
Can you please verify again so that we can validate it?
The fix looks good for the first 3 functions, not the last one, I still can execute the payload.
The code base is too big so I can't see where exactly the vulnerable code, but here is the function that is still vulnerable: https://github-production-user-asset-6210df.s3.amazonaws.com/67749472/252705920-3d29806a-8601-4eef-bd79-5cd961fceca3.png
Thank you very much! I have provided the fix on https://github.com/pimcore/pimcore/pull/15523, can you please apply these changes and check again?
Since I no longer can access my self-hosted site so could you apply these changes to your free demo https://demo.pimcore.com so I can verify it quickly?
Ah no problem then, we will review internally, already left some instruction to the team on how to simulate that. Unfortunately, at the moment, we have to first merge the change and release to have it on the public demo.
Could you please change this report to Affected Version to 10.5.23 , and remove the 4th point (Data Objects function)? I will mark this solved with this https://github.com/pimcore/pimcore/commit/a06ce0abdba19ae0eefc38b035e677f8f0c2bce9
commit
Then create a new ticket with the description of the 4th point (grid-proxy) with affected version set to 10.6.3?
Thank you in advance!
As your request, I will create a new ticket after this report is marked as resolved.
