Unrestricted Upload of File with Dangerous Type in pimcore/pimcore
Jan 17th 2022
The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS and digital commerce services. You can upload an infinite number of dangerous SVG files in "Settings" => "System Settings" => "Appearance and Branding" of the pimcore service. Then why is it dangerous? This is because when reading the upload file, it is read as raw data.
Proof of Concept
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" /> <script>alert(document.domain)</script> </svg>
1. Open the https://10.x-dev.pimcore.fun/admin/login?perspective= 2. After login, Go to "Settings" => "System Setting" => "Appearance & Branding" 3. Upload a SVG fille using the Custom Logo Logic 4. Open the url of svg file Video : https://www.youtube.com/watch?v=BwuR0aHCMFY
Through this vulnerability, an attacker is capable to execute malicious scripts.
I am sorry. I couldn't find a code..
A very uncertain case ... as this functionality is anyway just set by an administrator and you have to call the image URL explicitly.
Anyway, I've provided a fix.
I agree on that part. thank you.