SQL injection in RecyclebinController.php in pimcore/pimcore

Valid

Reported on

Mar 29th 2022


Description

From the code we can see that in line 122, the value is append to the sql query directly. The value can be from line 109. And from filter parameter . image-20220330000538512 so we can use the value data to inject the database. image-20220330000702494 if we set a wrong value. we can see the sql error from the log file .

image-20220330000815260 image-20220330000905236

Proof of Concept

"filterFullText=&page=1&start=0&limit=50&filter="+encodeURIComponent('[{"property":"path","type":"string","value":"1 %\'  union select 1 # ","operator":"="}]')

Impact

Impact

This vulnerability is capable of steal the data

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago
We have contacted a member of the pimcore team and are waiting to hear back 2 months ago
mylong modified the report
2 months ago
We have sent a follow up to the pimcore team. We will try again in 7 days. 2 months ago
Divesh Pahuja validated this vulnerability 2 months ago
mylong has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the pimcore team. We will try again in 7 days. 2 months ago
Divesh Pahuja confirmed that a fix has been merged on a69783 2 months ago
Divesh Pahuja has been awarded the fix bounty
mylong
2 months ago

Researcher


Seems the 'property' parameter is not fixed. And there are several other points leads to sqli, should I raise a new issue or write it here.

Divesh Pahuja
2 months ago

Maintainer


@mylong please raise a new issue. thanks!

to join this conversation