Headline
CVE-2023-28850
Pimcore Perspective Editor provides an editor for Pimcore that allows users to add/remove/edit custom views and perspectives. This vulnerability has the potential to steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie or redirect users to other malicious sites. Version 1.5.1 has a patch. As a workaround, one may apply the patch manually.
From abf0ecfeb589bb7385a8847fad45747dc0a56f57 Mon Sep 17 00:00:00 2001 From: ChristianFeldkirchne Date: Tue, 14 Mar 2023 08:20:16 +0100 Subject: [PATCH 1/4] optimized perspective and view creation — src/Resources/public/js/pimcore/perspective/perspective.js | 2 ++ src/Resources/public/js/pimcore/perspective/view.js | 2 ++ src/Services/PerspectiveAccessor.php | 2 ± src/Services/ViewAccessor.php | 2 ++ 4 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/Resources/public/js/pimcore/perspective/perspective.js b/src/Resources/public/js/pimcore/perspective/perspective.js index 94340c7…0f520ab 100644 — a/src/Resources/public/js/pimcore/perspective/perspective.js +++ b/src/Resources/public/js/pimcore/perspective/perspective.js @@ -104,6 +104,8 @@ pimcore.bundle.perspectiveeditor.PerspectiveEditor = class { disabled: !pimcore.settings[‘perspectives-writeable’], handler: function(){ Ext.MessageBox.prompt(t(‘plugin_pimcore_perspectiveeditor_new_perspective’), t(‘plugin_pimcore_perspectiveeditor_new_perspective’), function (button, value) { + value = pimcore.helpers.sanitizeString(value); + if (button === ‘ok’ && value.length > 0) { //check for configs with same name let match = this.perspectiveTreeStore.findExact("name", value); diff --git a/src/Resources/public/js/pimcore/perspective/view.js b/src/Resources/public/js/pimcore/perspective/view.js index be0a35f…0d0bbad 100644 — a/src/Resources/public/js/pimcore/perspective/view.js +++ b/src/Resources/public/js/pimcore/perspective/view.js @@ -86,6 +86,8 @@ pimcore.bundle.perspectiveeditor.ViewEditor = class { disabled: !pimcore.settings[‘custom-views-writeable’], handler: function () { Ext.MessageBox.prompt(t(‘plugin_pimcore_perspectiveeditor_new_view’), t(‘plugin_pimcore_perspectiveeditor_new_view’), function (button, value) { + value = pimcore.helpers.sanitizeString(value); + if (button === ‘ok’ && value.length > 0) { const record = this.viewTreeStore.getRoot().appendChild({ id: pimcore.bundle.perspectiveeditor.PerspectiveViewHelper.generateUuid(), diff --git a/src/Services/PerspectiveAccessor.php b/src/Services/PerspectiveAccessor.php index 6065d97…1b45424 100644 — a/src/Services/PerspectiveAccessor.php +++ b/src/Services/PerspectiveAccessor.php @@ -24,7 +24,7 @@ protected function convertTreeStoreToConfiguration($treeStore) $configuration = []; foreach ($treeStore[‘children’] as $child) { - $name = $child[‘name’]; + $name = htmlspecialchars($child[‘name’]); $configuration[$name] = []; $configuration[$name][‘elementTree’] = []; foreach ($child[‘children’] as $index => $element) { diff --git a/src/Services/ViewAccessor.php b/src/Services/ViewAccessor.php index dcf9c29…611828f 100644 — a/src/Services/ViewAccessor.php +++ b/src/Services/ViewAccessor.php @@ -39,6 +39,8 @@ protected function convertTreeStoreToConfiguration($treeStore) if (isset($treeStore[‘children’])) { foreach ($treeStore[‘children’] as $child) { + $child[‘config’][‘name’] = htmlspecialchars($child[‘config’][‘name’]); + if (!empty($child[‘config’][‘treeContextMenu’])) { foreach (array_keys($child[‘config’][‘treeContextMenu’]) as $contextMenuEntry) { if (substr($child[‘config’][‘treetype’], 0, strlen($contextMenuEntry)) != $contextMenuEntry) { From 0947219f8861627919f59697b31129d056ec1af8 Mon Sep 17 00:00:00 2001 From: ChristianFeldkirchne Date: Tue, 14 Mar 2023 08:25:40 +0100 Subject: [PATCH 2/4] added condition — src/Services/ViewAccessor.php | 4 ++± 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/Services/ViewAccessor.php b/src/Services/ViewAccessor.php index 611828f…edf2ab3 100644 — a/src/Services/ViewAccessor.php +++ b/src/Services/ViewAccessor.php @@ -39,7 +39,9 @@ protected function convertTreeStoreToConfiguration($treeStore) if (isset($treeStore[‘children’])) { foreach ($treeStore[‘children’] as $child) { - $child[‘config’][‘name’] = htmlspecialchars($child[‘config’][‘name’]); + if(array_key_exists('name’, $child[‘config’])) { + $child[‘config’][‘name’] = htmlspecialchars($child[‘config’][‘name’]); + } if (!empty($child[‘config’][‘treeContextMenu’])) { foreach (array_keys($child[‘config’][‘treeContextMenu’]) as $contextMenuEntry) { From 947806d95b0bdbaa152da1e9ebb5159fea0d6f37 Mon Sep 17 00:00:00 2001 From: Corepex Date: Tue, 14 Mar 2023 07:26:15 +0000 Subject: [PATCH 3/4] Apply php-cs-fixer changes — src/Services/ViewAccessor.php | 2 ± 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Services/ViewAccessor.php b/src/Services/ViewAccessor.php index edf2ab3…83af4bc 100644 — a/src/Services/ViewAccessor.php +++ b/src/Services/ViewAccessor.php @@ -39,7 +39,7 @@ protected function convertTreeStoreToConfiguration($treeStore) if (isset($treeStore[‘children’])) { foreach ($treeStore[‘children’] as $child) { - if(array_key_exists(‘name’, $child[‘config’])) { + if (array_key_exists(‘name’, $child[‘config’])) { $child[‘config’][‘name’] = htmlspecialchars($child[‘config’][‘name’]); } From 6ae4d56557dbc0178d4cb2f5622ca39f6e62e0e5 Mon Sep 17 00:00:00 2001 From: ChristianFeldkirchne Date: Mon, 20 Mar 2023 11:20:17 +0100 Subject: [PATCH 4/4] added sanitizeName function — src/Resources/public/js/pimcore/perspective/perspective.js | 6 ++++± src/Resources/public/js/pimcore/perspective/view.js | 6 ++++± 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/Resources/public/js/pimcore/perspective/perspective.js b/src/Resources/public/js/pimcore/perspective/perspective.js index 0f520ab…d35f765 100644 — a/src/Resources/public/js/pimcore/perspective/perspective.js +++ b/src/Resources/public/js/pimcore/perspective/perspective.js @@ -104,7 +104,7 @@ pimcore.bundle.perspectiveeditor.PerspectiveEditor = class { disabled: !pimcore.settings[‘perspectives-writeable’], handler: function(){ Ext.MessageBox.prompt(t(‘plugin_pimcore_perspectiveeditor_new_perspective’), t(‘plugin_pimcore_perspectiveeditor_new_perspective’), function (button, value) { - value = pimcore.helpers.sanitizeString(value); + value = this.sanitizeName(value); if (button === ‘ok’ && value.length > 0) { //check for configs with same name @@ -826,4 +826,8 @@ pimcore.bundle.perspectiveeditor.PerspectiveEditor = class { } } } + + sanitizeName (name) { + return name.replace(/[^a-z0-9_\-.+]/gi,’’); + } } diff --git a/src/Resources/public/js/pimcore/perspective/view.js b/src/Resources/public/js/pimcore/perspective/view.js index 0d0bbad…4b13f31 100644 — a/src/Resources/public/js/pimcore/perspective/view.js +++ b/src/Resources/public/js/pimcore/perspective/view.js @@ -86,7 +86,7 @@ pimcore.bundle.perspectiveeditor.ViewEditor = class { disabled: !pimcore.settings[‘custom-views-writeable’], handler: function () { Ext.MessageBox.prompt(t(‘plugin_pimcore_perspectiveeditor_new_view’), t(‘plugin_pimcore_perspectiveeditor_new_view’), function (button, value) { - value = pimcore.helpers.sanitizeString(value); + value = this.sanitizeName(value); if (button === ‘ok’ && value.length > 0) { const record = this.viewTreeStore.getRoot().appendChild({ @@ -569,4 +569,8 @@ pimcore.bundle.perspectiveeditor.ViewEditor = class { } } } + + sanitizeName (name) { + return name.replace(/[^a-z0-9_\-.+]/gi,’’); + } }
Related news
### Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. ### Patches Update to version 1.5.1. ### Workarounds Apply the patch https://github.com/pimcore/perspective-editor/pull/121.patch manually.