Business Logic Errors in pimcore/demo

Valid

Reported on

Oct 29th 2021


Description

There is no check over the number of items that a user can add to the cart. Adding a huge amount of items when updating the cart, causes the server to fail returning a 500 Internal Server Error.

Proof of Concept

Below POST request causes the server to fail (adding 900000000 items of the same product). After this POST request, users can't see the cart anymore (they will receive a 500 Internal Server Error).

POST /en/cart HTTP/1.1
Host: demo.pimcore.fun
Cookie: _pc_vis=120b166ae122a7b3; _pc_ses=1635515753969; PHPSESSID=9f6ea63a476c11cbf71a922ec72492d2; _pc_tss=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MzU1MTU3MDEuNzA2MDIsInB0ZyI6eyJfbSI6MSwiX2MiOjE2MzU1MTU1OTcsIl91IjoxNjM1NTE1NzAxLCJ2aTpzcnUiOls3LDFdfSwiZXhwIjoxNjM1NTE3NTAxfQ.dveL3XuGf66wRk59wnA7yMrSuRWPFnEmHuJK4SXDWyY; _pc_tvs=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MzU1MTU3MDEuNzA2MjYxLCJwdGciOnsiY21mOnNnIjp7Ijg2MCI6MSwiMTAwNyI6MX0sIl9jIjoxNjM1NTE1NTk3LCJfdSI6MTYzNTUxNTYyOSwidGciOltdfSwiZXhwIjoxNjY3MDUxNzAxfQ.SvwP5gneI2doHDVbtLL1A1TtgZYPc_lu6t3y1FNpi-M
Content-Length: 24
Cache-Control: max-age=0
Sec-Ch-Ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://demo.pimcore.fun
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.pimcore.fun/en/cart
Accept-Encoding: gzip, deflate
Accept-Language: it-IT,it;q=0.9
Connection: close

items%5B235%5D=900000000

Impact

Not a huge impact in terms of security at the moment, but toghether with a CSRF vulnerability, it would be possible to generate a DOS attack.

Mitigation

The application should set a maximum amount of items that can be added to the cart.

lfama
a year ago

Researcher


Hi @admin, has this report been notified to maintainers? I don't see the usual acknowledge of the notification. Thanks!

Jamie Slome
a year ago

Admin


@lfama - the outreach process has been recently adjusted - but rest assured, e-mails will be sent out to the maintainers within 24 hours of your original disclosure time.

The maintainers will be notified today of your report.

Cheers!

lfama
a year ago

Researcher


I was not aware of the adjustment, Thanks Jamie!

Jamie Slome
a year ago

Admin


No worries, we rolled out this change last night but will make it clearer with follow-up improvements on the platform this week.

We have contacted a member of the pimcore/demo team and are waiting to hear back a year ago
We have sent a follow up to the pimcore/demo team. We will try again in 7 days. a year ago
pimcore/demo maintainer
a year ago

Maintainer


Thanks for reporting the issue! Just wanted to let you know that we're aware of the issue and we're planning to fix that soon. Since it's not a critical thing (it's a demo), it doesn't have the highest priority as of now.

pimcore/demo maintainer
a year ago

Maintainer


https://github.com/pimcore/demo/issues/262

lfama
a year ago

Researcher


Great, Thank you for the update!

We have sent a second follow up to the pimcore/demo team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the pimcore/demo team. This report is now considered stale. a year ago
Divesh Pahuja validated this vulnerability a year ago
lfama has been awarded the disclosure bounty
The fix bounty is now up for grabs
Divesh Pahuja
a year ago

Maintainer


Hi,

This is fixed on pimcore/demo not on pimcore/pimcore. please find the fix commit here https://github.com/pimcore/demo/commit/b1c1c51fa0ddfc33dbc2ac7cd161550359252669.

thanks, Divesh

lfama
a year ago

Researcher


Hi Divesh,

Thank you for the update. @admin I think in this case I should report the disclosure for the other repository, can you please let me know? Thanks

Jamie Slome
a year ago

Admin


Hello all 👋

We can adjust the repository here, but for clarity, we will need to adjust the bounties as well.

Furthermore, we may revoke the CVE as well, as it looks like this report is against a demo library.

Please confirm if you are happy with this, and I will arrange the switch for you 👍

lfama
a year ago

Researcher


Hi Jamie,

sure it's fine for me, I wasn't aware that the issue was related only to the demo repo.

Thanks!

Divesh Pahuja
a year ago

Maintainer


Hello Jamie,

I'm also fine with the switch. Thanks for your help!

Jamie Slome
a year ago

Admin


@lfama & @dvesh3 - sorted! 🎊

Divesh Pahuja marked this as fixed in 10.1.8 with commit b1c1c5 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation