Business Logic Errors in pimcore/demo

Valid

Reported on

Oct 29th 2021


Description

There is no check over the number of items that a user can add to the cart. Adding a huge amount of items when updating the cart, causes the server to fail returning a 500 Internal Server Error.

Proof of Concept

Below POST request causes the server to fail (adding 900000000 items of the same product). After this POST request, users can't see the cart anymore (they will receive a 500 Internal Server Error).

POST /en/cart HTTP/1.1
Host: demo.pimcore.fun
Cookie: _pc_vis=120b166ae122a7b3; _pc_ses=1635515753969; PHPSESSID=9f6ea63a476c11cbf71a922ec72492d2; _pc_tss=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MzU1MTU3MDEuNzA2MDIsInB0ZyI6eyJfbSI6MSwiX2MiOjE2MzU1MTU1OTcsIl91IjoxNjM1NTE1NzAxLCJ2aTpzcnUiOls3LDFdfSwiZXhwIjoxNjM1NTE3NTAxfQ.dveL3XuGf66wRk59wnA7yMrSuRWPFnEmHuJK4SXDWyY; _pc_tvs=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MzU1MTU3MDEuNzA2MjYxLCJwdGciOnsiY21mOnNnIjp7Ijg2MCI6MSwiMTAwNyI6MX0sIl9jIjoxNjM1NTE1NTk3LCJfdSI6MTYzNTUxNTYyOSwidGciOltdfSwiZXhwIjoxNjY3MDUxNzAxfQ.SvwP5gneI2doHDVbtLL1A1TtgZYPc_lu6t3y1FNpi-M
Content-Length: 24
Cache-Control: max-age=0
Sec-Ch-Ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://demo.pimcore.fun
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.pimcore.fun/en/cart
Accept-Encoding: gzip, deflate
Accept-Language: it-IT,it;q=0.9
Connection: close

items%5B235%5D=900000000

Impact

Not a huge impact in terms of security at the moment, but toghether with a CSRF vulnerability, it would be possible to generate a DOS attack.

Mitigation

The application should set a maximum amount of items that can be added to the cart.

lfama
3 months ago

Researcher


Hi @admin, has this report been notified to maintainers? I don't see the usual acknowledge of the notification. Thanks!

Jamie Slome
3 months ago

Admin


@lfama - the outreach process has been recently adjusted - but rest assured, e-mails will be sent out to the maintainers within 24 hours of your original disclosure time.

The maintainers will be notified today of your report.

Cheers!

lfama
3 months ago

Researcher


I was not aware of the adjustment, Thanks Jamie!

Jamie Slome
3 months ago

Admin


No worries, we rolled out this change last night but will make it clearer with follow-up improvements on the platform this week.

We have contacted a member of the pimcore/demo team and are waiting to hear back 3 months ago
We have sent a follow up to the pimcore/demo team. We will try again in 7 days. 3 months ago
pimcore/demo maintainer
3 months ago

Maintainer


Thanks for reporting the issue! Just wanted to let you know that we're aware of the issue and we're planning to fix that soon. Since it's not a critical thing (it's a demo), it doesn't have the highest priority as of now.

pimcore/demo maintainer
3 months ago

Maintainer


https://github.com/pimcore/demo/issues/262

lfama
3 months ago

Researcher


Great, Thank you for the update!

We have sent a second follow up to the pimcore/demo team. We will try again in 10 days. 3 months ago
We have sent a third and final follow up to the pimcore/demo team. This report is stale. 2 months ago
Divesh Pahuja validated this vulnerability 2 months ago
lfama has been awarded the disclosure bounty
The fix bounty is now up for grabs
Divesh Pahuja
2 months ago

Maintainer


Hi,

This is fixed on pimcore/demo not on pimcore/pimcore. please find the fix commit here https://github.com/pimcore/demo/commit/b1c1c51fa0ddfc33dbc2ac7cd161550359252669.

thanks, Divesh

lfama
2 months ago

Researcher


Hi Divesh,

Thank you for the update. @admin I think in this case I should report the disclosure for the other repository, can you please let me know? Thanks

Jamie Slome
2 months ago

Admin


Hello all 👋

We can adjust the repository here, but for clarity, we will need to adjust the bounties as well.

Furthermore, we may revoke the CVE as well, as it looks like this report is against a demo library.

Please confirm if you are happy with this, and I will arrange the switch for you 👍

lfama
2 months ago

Researcher


Hi Jamie,

sure it's fine for me, I wasn't aware that the issue was related only to the demo repo.

Thanks!

Divesh Pahuja
2 months ago

Maintainer


Hello Jamie,

I'm also fine with the switch. Thanks for your help!

Jamie Slome
2 months ago

Admin


@lfama & @dvesh3 - sorted! 🎊

Divesh Pahuja confirmed that a fix has been merged on b1c1c5 2 months ago
The fix bounty has been dropped