SQL injection in RecyclebinController.php in pimcore/pimcore

Valid

Reported on

Mar 29th 2022

Description

From the code we can see that in line 122, the value is append to the sql query directly. The value can be from line 109. And from filter parameter . image-20220330000538512 so we can use the value data to inject the database. image-20220330000702494 if we set a wrong value. we can see the sql error from the log file .

image-20220330000815260 image-20220330000905236

Proof of Concept

"filterFullText=&page=1&start=0&limit=50&filter="+encodeURIComponent('[{"property":"path","type":"string","value":"1 %\'  union select 1 # ","operator":"="}]')

Impact

Impact

This vulnerability is capable of steal the data

We are processing your report and will contact the pimcore team within 24 hours. a year ago
We have contacted a member of the pimcore team and are waiting to hear back a year ago
mylong modified the report
a year ago
We have sent a follow up to the pimcore team. We will try again in 7 days. a year ago
Divesh Pahuja validated this vulnerability a year ago
mylong has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the pimcore team. We will try again in 7 days. a year ago
Divesh Pahuja marked this as fixed in 10.3.5 with commit a69783 a year ago
Divesh Pahuja has been awarded the fix bounty
This vulnerability will not receive a CVE
RecyclebinController.php#L122 has been validated
mylong
a year ago

Researcher

Seems the 'property' parameter is not fixed. And there are several other points leads to sqli, should I raise a new issue or write it here.

Divesh Pahuja
a year ago

Maintainer

@mylong please raise a new issue. thanks!

to join this conversation