Pre-Auth Path traversal in pimcore_log, leading potential DOS in pimcore/pimcore
Reported on
Apr 30th 2023
Description
A path traversal vulnerability exists in the CMS, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore_log parameter.
This can lead to potential denial of service---key file overwrite.
Proof of Concept
- As a prequisition, pimcore must be installed in a Windows environment
- Another preq:
self::inDebugMode()==true
- The CMS fails to sanitize the input properly and creates a file outside the intended log directory, resulting in a path traversal vulnerability.
- An attacker can send a request with the
pimcore_logparameter set to a value that starts with a valid log file name, followed by a series of..\to traverse directories.
code
The vulnerability is present in the initLogger() function of the CMS:
public static function initLogger(): void
{
// special request log -> if parameter pimcore_log is set
if (array_key_exists('pimcore_log', $_REQUEST) && self::inDebugMode()) {
$requestLogName = date('Y-m-d_H-i-s');
if (!empty($_REQUEST['pimcore_log'])) {
// slashed are not allowed, replace them with hyphens
$requestLogName = str_replace('/', '-', $_REQUEST['pimcore_log']); // here
}
$requestLogFile = resolvePath(PIMCORE_LOG_DIRECTORY . '/request-' . $requestLogName . '.log');
if (strpos($requestLogFile, PIMCORE_LOG_DIRECTORY) !== 0) {
throw new \Exception('Not allowed');
}
// ... rest of the function remains unchanged ...
}
}
1. /admin/?pimcore_log=foo
2. /admin/?pimcore_log=foo.log\..\..\..\..\..\..\Windows\System32\drivers\etc\hosts
In this case, the etc\hosts file will be overwrite(need system privledge to the running pimcore)
Remediation
To address this issue, you can update the initLogger() function to sanitize the input properly. Modify the function by adding input validation and sanitization:
public static function initLogger(): void
{
// special request log -> if parameter pimcore_log is set
if (array_key_exists('pimcore_log', $_REQUEST) && self::inDebugMode()) {
$requestLogName = date('Y-m-d_H-i-s');
if (!empty($_REQUEST['pimcore_log'])) {
// Slashes and backslashes are not allowed, replace them with hyphens
$sanitizedInput = str_replace(['/', '\\'], '-', $_REQUEST['pimcore_log']);
$requestLogName = resolvePath($sanitizedInput);
}
$requestLogFile = PIMCORE_LOG_DIRECTORY . '/request-' . $requestLogName . '.log';
if (strpos($requestLogFile, PIMCORE_LOG_DIRECTORY) !== 0) {
throw new \Exception('Not allowed');
}
// ... rest of the function remains unchanged ...
}
}
Impact
The impact of this vulnerability could be severe, as it allows attackers to:
Overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information.
Tamper with system settings by modifying key files, such as the hosts file in Windows or configuration files for other services.
Cause a denial of service (DoS) if critical system files are overwritten or deleted.
The consequences of exploiting this vulnerability can be detrimental to the confidentiality, integrity, and availability of the affected system. It's crucial to address this vulnerability to protect sensitive data and ensure the proper functioning of the system.
- I don't have a windows real env, so i add linux screenshot to prove that the CMS fails to satinize the [..] pattern
@hi-unc1e the correct affected version is 10.5.21. could you please fix it? thanks!
@admin, can you change the affected version to 10.5.21,thanks
@admin can you please also update the repository to pimcore/pimcore? thanks!