SQL injection in SegmentAssignmentController.php in pimcore/customer-data-framework

Valid

Reported on

Apr 9th 2023

Description

An administrator user can use the inheritableSegments feature to execute his own blind SQL queries.

Proof of Concept

The vulnerable php code is in src/Controller/Admin/SegmentAssignmentController.php, on method inheritableSegments:

The parameter type is not escaped and is added on the SQL query without using prepared statements. This leads to a SQL Injection on this parameter.

The query that is being executed is similar to this:

SELECT 'parentId' FROM 'TYPE + s' WHERE 'id'=PARAMETRIZED_ID

We can see it in the following screenshot, where we are printing the $parentIdStatement variable on the HTTP Response for debugging purposes.

In that example, we introduce the type=document and the query is appending an S and searching on documents table. For that reason, in order to get a working SQL Injection, we need to introduce an existing and valid table, like documents. As MySQL supports stacked queries, we can use them to execute any query we desire on database. We have to take care of the last part of the query + s' WHERE 'id'=PARAMETRIZED_ID.

For that reason, we can build a query like this:

SELECT 'parentId' FROM 'documents'; MALICIOUS_SQL_QUERY; SELECT 1 FROM 'documents' WHERE 'id'=PARAMETRIZED_ID`

This will run 3 SQL queries on database:

  1. SELECT 'parentId' FROM 'documents'
  2. MALICIOUS_SQL_QUERY
  3. SELECT 1 FROM 'documents' WHERE 'id'=PARAMETRIZED_ID

With this, we could run our malicious queries without errors. In order to achieve this, we must inject the following crafted payload on type parameter:

documents`; MALICIOUS_SQL_QUERY; SELECT 1 FROM `document

This will raise an error on our response, because parameter type is used on line 62, after running the query against DB.

However, as we can see, our malicious query is executed.

That’s why this SQL Injection is blind, but we can insert, edit or delete any data on DB and we also can obtain data with time or error based queries.

Impact

A user with administrator privileges can run any SQL query on database. This can be used to retrieve sensitive data, change database information or any other malicious activity against the database.

We are processing your report and will contact the pimcore/customer-data-framework team within 24 hours. 2 months ago
We have contacted a member of the pimcore/customer-data-framework team and are waiting to hear back a month ago
Jordi Miralles
a month ago

Researcher

Hi @admin, any news about this?

Pavlos
a month ago

Admin

no, we've contacted the maintainer please be patient

pimcore/customer-data-framework maintainer has acknowledged this report a month ago
Jordi Miralles
10 days ago

Researcher

Hi @mantainer, any news on this?

Divesh Pahuja modified the Severity from High (7.2) to Medium (6.5) 8 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Divesh Pahuja validated this vulnerability 8 days ago
Jordi Miralles has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 3.3.10 with commit 76df15 8 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 8 days ago
Jordi Miralles
8 days ago

Researcher

Thanks for your credit Divesh!

to join this conversation