SQL injection in RecyclebinController.php in pimcore/pimcore

Valid

Reported on

Mar 29th 2022


Description

From the code we can see that in line 122, the value is append to the sql query directly. The value can be from line 109. And from filter parameter . image-20220330000538512 so we can use the value data to inject the database. image-20220330000702494 if we set a wrong value. we can see the sql error from the log file .

image-20220330000815260 image-20220330000905236

Proof of Concept

"filterFullText=&page=1&start=0&limit=50&filter="+encodeURIComponent('[{"property":"path","type":"string","value":"1 %\'  union select 1 # ","operator":"="}]')

Impact

Impact

This vulnerability is capable of steal the data

We are processing your report and will contact the pimcore team within 24 hours. 2 years ago
We have contacted a member of the pimcore team and are waiting to hear back 2 years ago
mylong modified the report
2 years ago
We have sent a follow up to the pimcore team. We will try again in 4 days. 2 years ago
Divesh Pahuja validated this vulnerability 2 years ago
mylong has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the pimcore team. We will try again in 7 days. 2 years ago
Divesh Pahuja marked this as fixed in 10.3.5 with commit a69783 2 years ago
Divesh Pahuja has been awarded the fix bounty
mylong
2 years ago

Researcher


Seems the 'property' parameter is not fixed. And there are several other points leads to sqli, should I raise a new issue or write it here.

Divesh Pahuja
2 years ago

Maintainer


@mylong please raise a new issue. thanks!

to join this conversation