SQL injection in ElementController.php in pimcore/pimcore

Valid

Reported on

Apr 8th 2022


Description

The property parameter is append to the sql query directly, which leads to a sql injection problem. if you set a wrong value. you can see the error from log. image-20220408195824911 then you can check the result. image-20220408200016136 after injection image-20220408200047184

Proof of Concept

image-20220408200047184 // PoC.js

"body": "filterText=sdf&page=1&start=0&limit=50&filter="+encodeURIComponent('[{"property":"id` = 1 or 1=1 # ","type":"string","value":"1","operator":"="}]')

Impact

This vulnerability is capable of steal the data

We are processing your report and will contact the pimcore team within 24 hours. a month ago
mylong modified the report
a month ago
We have contacted a member of the pimcore team and are waiting to hear back a month ago
pimcore/pimcore maintainer has acknowledged this report a month ago
aryaantony92 validated this vulnerability a month ago
mylong has been awarded the disclosure bounty
The fix bounty is now up for grabs
aryaantony92 confirmed that a fix has been merged on adae3b a month ago
aryaantony92 has been awarded the fix bounty
ElementController.php#L249 has been validated
mylong
a month ago

Researcher


Hi,@aryaantony92. the fixup in line 245. $dateCondition = '`' . $filter[$propertyKey] . '` ' . ' BETWEEN ' . $db->quote($value) . ' AND ' . $db->quote($maxTime); may be the $filter[$propertyKey] should also be quoted?

to join this conversation