SQL injection in ElementController.php in pimcore/pimcore

Valid

Reported on

Apr 8th 2022

Description

The property parameter is append to the sql query directly, which leads to a sql injection problem. if you set a wrong value. you can see the error from log. image-20220408195824911 then you can check the result. image-20220408200016136 after injection image-20220408200047184

Proof of Concept

image-20220408200047184 // PoC.js

"body": "filterText=sdf&page=1&start=0&limit=50&filter="+encodeURIComponent('[{"property":"id` = 1 or 1=1 # ","type":"string","value":"1","operator":"="}]')

Impact

This vulnerability is capable of steal the data

We are processing your report and will contact the pimcore team within 24 hours. a year ago
mylong modified the report
a year ago
We have contacted a member of the pimcore team and are waiting to hear back a year ago
pimcore/pimcore maintainer has acknowledged this report a year ago
aryaantony92 validated this vulnerability a year ago
mylong has been awarded the disclosure bounty
The fix bounty is now up for grabs
aryaantony92 marked this as fixed in 10.3.5 with commit adae3b a year ago
aryaantony92 has been awarded the fix bounty
This vulnerability will not receive a CVE
ElementController.php#L249 has been validated
mylong
a year ago

Researcher

Hi,@aryaantony92. the fixup in line 245. $dateCondition = '`' . $filter[$propertyKey] . '` ' . ' BETWEEN ' . $db->quote($value) . ' AND ' . $db->quote($maxTime); may be the $filter[$propertyKey] should also be quoted?

to join this conversation