### Impact
User with administrative privileges and upload files that look like images but contain PHP code which can then be executed in the context of the web server.


Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-rhc2-23c2-ww7c

**Remote code execution in web server context**

High severity GitHub Reviewed Published Jun 4, 2024 in aimeos/aimeos-core • Updated Jun 5, 2024

**Package**

composer aimeos/aimeos-core (Composer)

**Affected versions**

\>= 2024.04.1, < 2024.04.5

**Patched versions**

2024.04.5

**Description**

**Impact**

User with administrative privileges and upload files that look like images but contain PHP code which can then be executed in the context of the web server.

**References**

*   GHSA-rhc2-23c2-ww7c

Published to the GitHub Advisory Database

Jun 5, 2024

GHSA-rhc2-23c2-ww7c: Remote code execution in web server context

This post was authored by Kalpesh Mantri. 

Cisco Talos is actively tracking a recent increase in activity from malicious email campaigns containing a suspicious Microsoft Excel attachment that, when opened, infected the victim's system with the DarkGate malware. 
These campaigns, active since the second week of

Wednesday, June 5, 2024 08:00

_This post was authored by Kalpesh Mantri._ 

*   Cisco Talos is actively tracking a recent increase in activity from malicious email campaigns containing a suspicious Microsoft Excel attachment that, when opened, infected the victim's system with the DarkGate malware. 
*   These campaigns, active since the second week of March, leverage tactics, techniques, and procedures (TTPs) that we have not previously observed in DarkGate attacks. 
*   These campaigns rely on a technique called “Remote Template Injection” to bypass email security controls and to deceive the user into downloading and executing malicious code when the Excel document is opened.  
*   DarkGate has used AutoIT scripts as part of the infection process for a long time. However, in these campaigns, AutoHotKey scripting was used instead of AutoIT.  
*   The final DarkGate payload is designed to execute in-memory, without ever being written to disk, running directly from within the AutoHotKey.exe process. 

The DarkGate malware family is distinguished by its covert spreading techniques, ability to steal information, evasion strategies, and widespread impact on both individuals and organizations. Recently, DarkGate has been observed distributing malware through Microsoft Teams and even via malvertising campaigns. Notably, in the latest campaign, AutoHotKey scripting was employed instead of AutoIT, indicating the continuous evolution of DarkGate actors in altering the infection chain to evade detection. 

**Email campaigns **

This research began when a considerable number of our clients reported receiving emails, each containing a Microsoft Excel file attachment that followed a distinct pattern in its naming convention. 

Talos’ intent analysis of these emails revealed that the primary purpose of the emails primarily pertained to financial or official matters, compelling the recipient to take an action by opening the attached document. 

This peculiar trend prompted us to conduct an in-depth investigation into this widespread malspam activity. Our initial findings linked the indicators of compromise (IOCs) to the DarkGate malware.  

The table below includes some of the observed changes in attachment naming convention patterns over time.  

End Date 

Format 

Examples 

March 12, 2024 

March 19, 2024 

march-D%-2024.xlsx 

march-D5676-2024.xlsx 

march-D3230-2024.xlsx 

march-D2091-2024.xlsx 

March 15, 2024 

March 20, 2024 

ACH-%March.xlsx 

ACH-5101-15March.xlsx 

ACH-5392-15March.xlsx 

ACH-4619-15March.xlsx 

March 18, 2024 

March 19, 2024 

attach#%-2024.xlsx 

attach#4919-18-03-2024.xlsx 

attach#8517-18-03-2024.xlsx 

attach#4339-18-03-2024.xlsx 

March 19, 2024 

March 20, 2024 

march19-D%-2024.xlsx 

march19-D3175-2024.xlsx 

march19-D5648-2024.xlsx 

march19-D8858-2024.xlsx 

March 26, 2024 

March 26, 2024 

re-march-26-2024-%.xls? 

re-march-26-2024-4187.xlsx 

re-march-26-2024-7964.xlsx 

re-march-26-2024-4187.xls 

April 3, 2024 

April 5, 2024 

april2024-%.xlsx 

april2024-2032.xlsx 

april2024-3378.xlsx 

april2024-4268.xlsx 

April 9, 2024 

April 9, 2024 

statapril2024-%.xlsx 

statapril2024-9505.xlsx 

statapril2024-9518.xlsx 

statapril2024-9524.xlsx 

April 10, 2024 

April 10, 2024 

4\_10\_AC-%.xlsx\* 

4\_10\_AC-1177.xlsx 

4\_10\_AC-1288.xlsx 

4\_10\_AC-1301.xlsx 

_\*Variant redirecting to JavaScript file instead of VBS._ 

**Victimology **

Based on Cisco Talos telemetry, this campaign targets the U.S. the most often compared to other geographic regions.

Healthcare technologies and telecommunications were the most-targeted sectors, but campaign activity was observed targeting a wide range of industries. 

**Technical analysis **

Our telemetry indicates that malspam emails were the primary source of delivery for this campaign. It is an active campaign using attached Excel documents attempting to lure users to download and execute remote payloads.  

As shown below, the Excel spreadsheet has an embedded object with an external link to an attacker-controlled Server Message Block (SMB) file share. 

The overall infection process associated with this campaign is shown below. 

The infection process begins when the malicious Excel document is opened. These files were specially crafted to utilize a technique, called “Remote Template Injection,” to trigger the automatic download and execution of malicious contents hosted on a remote server. 

Remote Template Injection is an attack technique that exploits a legitimate Excel functionality wherein templates can be imported from external sources to expand a document’s functions and features. By exploiting the inherent trust users place in document files, this method skilfully evades security protocols that may not be as stringent for document templates compared to executable files. It represents a refined tactic for attackers to establish a presence within a system, sidestepping the need for conventional executable malware.  

When the Excel file is opened, it downloads and executes a VBS file from an attacker-controlled server. 

The VBS file is appended with a command that executes a PowerShell script from the DarkGate command and control (C2) server. 

This PowerShell script retrieves the next stage’s components and executes them, as shown below. 

**Payload analysis **

On March 12, 2024, the DarkGate campaign transitioned from deploying AutoIT scripts to employing AutoHotKey scripts. 

AutoIT and AutoHotKey are scripting languages designed for automating tasks on Windows. While both languages serve similar purposes, their differences lie in their syntax complexity, feature sets and community resources. AutoHotKey offers more advanced text manipulation features, extensive support for hotkeys, and a vast library of user-contributed scripts for various purposes. While both AutoIT and AutoHotKey have legitimate purposes, they are often abused by adversaries to run malicious scripts, consistent with other scripting languages often observed in infection chains. 

As shown in the screenshot above, one of the files retrieved is ‘test.txt.’ Within this file, there is base64-encoded blob that, when decoded, transforms into binary data. This binary data is then processed to execute the DarkGate malware payload directly within memory on infected systems. 

As shown in the previous PowerShell code, payloads are initially saved to disk within a directory (C:\\rimz\\) on the system. The directory name changes across infection chains that were analyzed. 

In this case, the attacker was using a legitimate copy of the AutoHotKey binary (AutoHotKey.exe) to execute a malicious AHK script (script.ahk). 

The executed AHK script reads content from the text file (test.txt), decodes it in memory, and executes it without ever saving the decoded DarkGate payload to disk. This file also contains shellcode that is loaded and executed by the AHK script, as shown below. 

**Persistence mechanisms **

Components used during the final stage of the infection process are stored at the following directory location: 

*   C:\\ProgramData\\cccddcb\\AutoHotKey.exe 
*   C:\\ProgramData\\cccddcb\\hafbccc.ahk 
*   C:\\ProgramData\\cccddcb\\test.txt 

Persistence across reboots is established through the creation of a shortcut file within the Startup directory on the infected system. 

C:\\Users\\<USERNAME>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DfAchhd.lnk 

C:\\ProgramData\\cccddcb\\AutoHotkey.exe  C:\\ProgramData\\cccddcb"C:\\ProgramData\\cccddcb\\hafbccc.ahk 

Talos’ threat intelligence and detection response teams have successfully developed detection for these campaigns and blocked them as appropriate on Cisco Secure products. However, because of the evolving nature of recent DarkGate campaigns — as demonstrated by the shift from AutoIT to AutoHotKey scripts and use of remote template injection — serves as a stark reminder of the continuous arms race in cybersecurity. 

**Coverage **

 Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The following Snort SIDs apply to this threat:  

*   **Snort 2 SIDs:** 3, 12, 11192, 13667, 15306, 16642, 19187, 23256, 23861, 44484, 44485, 44486, 44487, 44488, 63521, 63522, 63523, 63524 
*   **Snort 3 SIDs:** 1, 16, 260, 11192, 15306, 36376, 44484, 44486, 44488, 63521, 63522, 63523, 63524 

The following ClamAV detections are also available for this threat:  

*   Doc.Malware.DarkGateDoc 
*   Ps1.Malware.DarkGate-10030456-0 
*   Vbs.Malware.DarkGate-10030520-0 

**Indicators of Compromise (IOCs) **

Indicators of Compromise (IOCs) associated with this threat can be found here.  

Below is an example of the configuration parameters extracted from one of the DarkGate payloads analyzed.  

hxxp://badbutperfect\[.\]com 

hxxp://withupdate\[.\]com 

hxxp://irreceiver\[.\]com 

hxxp://backupitfirst\[.\]com 

hxxp://goingupdate\[.\]com 

hxxp://buassinnndm\[.\]net 

anti\_analysis = true 

anti\_debug = false 

anti\_vm = true 

c2\_port = 80 

internal\_mutex (Provides the XOR key/maker used for DarkGate payload decryption) = WZqqpfdY 

ping\_interval = 60 

startup\_persistence = true 

username = admin

DarkGate switches up its tactics with new payload, email templates

A data breach at Tech in Asia has exposed the personal information of 221,470 users. Learn more about…

A data breach at Tech in Asia has exposed the personal information of 221,470 users. Learn more about the hack attributed to IntelBroker and the ongoing response to secure user data.

A database owned by Tech in Asia, a prominent technology news outlet focusing on startups and technological innovations across Asia, has been compromised. The breach was announced by a hacker known by the pseudonym “Sanggiero,” linked to the infamous hacking collective, IntelBroker.

Screenshot from the hacker’s post on Breach Forums (Credit: Hackread.com)

Tech in Asia, which has received backing from Eduardo Saverin, the co-founder of Facebook, operates from bases in Singapore and Jakarta. The platform is a critical resource for news on technological advancements and entrepreneurial ventures in the region.

Details of the breach were disclosed late last night on several dark web forums, including the infamous cybercrime and data leak forum Breach Forums. Sanggiero claimed responsibility for the hack, stating that it occurred in June 2024 and impacted over 221,470 individuals.

As seen by Hackread.com, the leaked information includes user data such as the following:

*   **Roles**
*   **Full names**
*   **Display names**
*   **Email addresses**
*   **Date of registration.**

Hackread.com analysed the leaked data

As confirmed by Tech in Asia to Hackread.com in an exclusive statement, these records belong to its users. However, the good news is that no passwords were leaked. According to Sanggiero, the data was accessed by exploiting several critical vulnerabilities in Tech in Asia’s API and other bugs that allowed access to the internal services of the website.

> _“We confirm that the Tech in Asia Indonesia site was compromised, but the main Tech in Asia site remains secure. The situation has been contained. We apologise to users affected by this incident and will contact them with safety measures. Only email addresses and names were leaked; account passwords remain secure. We are taking further measures to ensure that our users’ data remains safe.”_
> 
> Tech in Asia

The motives behind the breach are obvious. Additionally, IntelBrokers has been known for targeting high-profile companies and top security agencies. Some of the group’s previous hacks include Europol, Home Depot, ICE, USCIS, HSBC and Barclays Bank.

This incident leaves a critical lesson for all companies: Cybersecurity isn’t a one-time setup but a continual process. As cyber threats become more complex and frequent, it’s vital that businesses consistently enhance security. Doing so not only protects sensitive data but also builds and maintains the trust of its users.

_Follow our dedicated cybersecurity news coverage for updates on this story and more._

1.  AT&T Confirms Data Breach Affecting 73 Million Users
2.  Massive Data Breach Exposes Info of 43 Million French Workers
3.  API Misuse: Hacker Exposes 2.6M Duolingo Users’ Emails & Names
4.  American Express Cardholders Impacted by 3ed-Party Data Breach
5.  Dell Discloses Data Breach As Hacker Sells 49 Million Customer Data
6.  Ticketmaster Suffers Data Breach: 560M Users’ Info for Sale at $500K

Hackers Leak 221,470 Users’ Data in “Tech in Asia” News Outlet Breach

A WIRED investigation, based on more than 22 million flight coordinates, reveals the complicated truth about the first full-blown police drone program in the US—and why your city could be next.

The Age of the Drone Police Is Here

Wyoming’s secretary of state has proposed ways of “preventing fraud and abuse of corporate filings by commercial registered agents” in the aftermath of the scheme’s exposure.

For years, the Federal Bureau of Investigation has been unraveling what it asserts is a scam perpetrated by agents of North Korea, which used fake companies employing real IT workers to funnel money back to the regime’s military.

An American company played a key role in creating shell companies used as part of the scheme, a WIRED review of public records shows. Elected officials are now contemplating addressing loopholes in business-registration law that the scheme exposed.

In May, Wyoming secretary of state Chuck Gray revoked the business licenses of three companies linked to the North Korean scam: Culture Box LLC, Next Nets LLC, and Blackish Tech LLC. Gray said his office made the decision after receiving information from the FBI and conducting an investigation.

“The communist, authoritarian Kim Jong Un regime has no place in Wyoming,” Gray said in a May press release.

The companies posed as legitimate operations where businesses could hire contract workers to perform IT solutions, complete with fake websites featuring smiling photos of apparent employees. The companies all had one thing in common: Their incorporation documents were filed by a company called Registered Agents Inc., which says its global headquarters is in Sheridan, Wyoming.

Registered Agents, which provides incorporation services in every US state, takes the practice of business privacy to the extreme, and regularly uses fake personae to file formation documents with state agencies, a WIRED investigation previously found.

Culture Box LLC, one of the companies that Gray and the FBI linked to North Korea, listed “Riley Park” as the name of a Registered Agents employee on documents submitted to the Wyoming secretary of state. Park, according to several former employees of Registered Agents, is a fake persona that the company regularly used to file incorporation documents.

In a statement provided to WIRED, Registered Agents wrote, “The Wyoming Secretary of State dissolved the entities and we initiated the 30-day process to resign as their agent in mid-May. Ours and Wyoming's processes to identify bad actors works. It strikes the best balance of individual privacy and business transparency supported by an entire ecosystem that cares about supporting entrepreneurs while rooting out the small percent of scammers.” The FBI’s St. Louis office, which led the investigation, did not respond to a request for comment.

The North Korean operation worked like this: Agents of the regime created fake companies purporting to be legitimate firms offering freelance IT services. Workers hired by North Koreans, or North Koreans themselves, would then perform legitimate contractor work, often using assumed identities.

In some instances, Americans would set up low-cost laptops with remote-access software, allowing North Korean workers to perform freelance IT work while appearing to use American IP addresses. The FBI referred to these Americans as “virtual assistants.”

The payments for the IT work were eventually funneled back to North Korea—where, the Department of Justice asserts, it was directed to the country’s Ministry of Defense and other agencies involved in WMD work. The scheme was so expansive that any company that hired freelance IT workers “more than likely” hired someone involved in the operation, according to FBI agent Jay Greenberg.

The shell companies created in Wyoming were used to hire virtual assistants and receive payments.

“I discovered that North Korean IT workers create and use domain names and limited liability companies (LLCs) in furtherance of their fraudulent activity and to mask their true identities as North Koreans. The LLCs are used to recruit ‘Virtual Assistants’ who can receive and ship devices needed for the North Korean IT workers as well as recruit and employ software developers from countries such as Pakistan, India, and China,” an FBI agent wrote in a May affidavit. “These LLCs are often registered in the United States through business registry services and sometimes use the identities of individuals who had a previous relationship with North Korean IT workers.”

The affidavit alleges that money from North Korean workers was used to purchase domain names for the IT front companies, in violation of sanctions laws. The domains were purchased using “payment service providers” with accounts belonging to the Wyoming companies.

In response to a request for comment from WIRED, the Wyoming secretary of state’s office said that it has “increased the number of complete, in-person audits of commercial registered agents, resulting in several ongoing investigations, as well as the issuance of findings and orders.”

The secretary of state has offered proposals to the Wyoming state legislature “aimed at preventing fraud and abuse of corporate filings by commercial registered agents, as ways to strengthen the Wyoming secretary of state's administrative authority to dissolve business entities controlled by foreign adversaries,” said Joe Rubino, the chief policy officer and general counsel at the Wyoming Secretary of State's Office.

An American Company Enabled a North Korean Scam That Raised Money for WMDs

These scammers are persistent and want your billing information to extort money from you.

Back in February, we reported on malicious ads related to utility bills (electricity, gas) that direct victims to call centers where scammers will collect their identity and try to extort money from them.

A few months later, we checked and were able to find as many Google ads as before, following very much the same pattern. In addition, we can see that miscreants are trying to legitimize their operations by creating fake U.S.-based entities.

**Utility-based ads targeting mobile phones**

It only took us 15 minutes to find about a dozen fraudulent ads on Google related to utility bills. This campaign is targeting mobile devices only, as far as we can tell, and U.S. residents. All the ads seen below belong to different advertisers based in Pakistan.

Some of those advertiser accounts have a fairly large footprint with several hundred ads.

Most often, the ad is not associated with a landing page (although a URL is displayed); instead clicking on the ad will bring up the phone number and prompt you to dial. Having said that, the domains used belong to the scammers and are often fairly new.

We also saw several ads that at first appear somewhat legitimate. They are registered to advertisers based in the US and their websites look almost authentic. But when you start checking the details, you realize some things don’t add up, such as an address that leads to an apartment complex.

**Consumer protection**

The Federal Trade Commission (FTC) has an article about utility scams, however the technique mentioned there is about scammers calling victims, rather than the other way around. For good reason many people won’t answer the phone when it shows an unknown number as it is likely yet another telemarketer. Certainly, there are victims that will answer the phone but the scam is much more effective when you are the one to initiate the call.

We have reported the fraudulent advertiser accounts to Google while we are also adding related domains to our blocklist. Remember to be extremely vigilant before calling anyone, especially if that number came from an advertisement. If in doubt, go directly to your utility company’s website using a computer and then look for a form or phone number that you can verify before dialing.

 Utility scams update 

# Details
## 1. All Imagick supported Fileformats are served without filtering

The Thumbnail endpoint does not check against any filters what file formats should be served. We can transcode the image in all formats imagemagick supports. With that we can create Files that are much larger in filesize than the original. For example we can create a .txt file for all thumbnails, and we get the text representation of the image.

We can demonstrate that with the pimcore demo: 

This Thumbnail is found on the Frontend: https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89.avif (12kb Filesize)

We can generate a text representation by simply changing the file extension: https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89.txt (4.59mb Filesize)

Other (large) fileformats we tested: ftxt, dip, bmp, bmp3, bmp2, farbfeld, cmyk, cmyka, ycbcr, ycbcra and many more (just check imagemagick supported formats)

With that we can fill the available space of a server really easy.

With formats like yaml or json we can also expose exif data of the original image file - could be a concern with gps data in user uploaded images.

### TLDR

- we can generate all imagemagick supported formats with all thumbnail configs
- all configs were the format is set to "auto (Web-optimized)" are vulnerable
- private (exif) data can be exposed.
- We can flood the the server with a bunch of files that are a multiple magnitudes of the original thumbnail size (see txt example), for all thumbnail configs, with every image that we find (scriptable)

### Proposed Solution

Implement a list of allowed formats that the developer can modify if needed, if a file is requested in another format than listed, pimcore should return either "/bundles/pimcoreadmin/img/filetype-not-supported.svg" or a 404.

```yaml
pimcore:
    thumbnails:
    	allowed_formats: ['jpg', 'png', 'avif', 'webp', 'gif']
```

For non-maintained Pimcore versions (<11), the webserver config could be used to only serve files that should be allowed. 

## 2. Non Web optimized file formats (ORIGINAL, JPG, PNG)  creates duplicated files on Server

With Thumbnail config that are configured to serve non web optimized file formats (such as ORIGINAL, jpg, png, print, etc) we can create files with arbitrary file formats that are saved to disk.

For example, the thumbnail configuration "print_backgroundimage" (in the pimcore demo) can be used to create files such as: 

https://demo.pimcore.fun/Car%20Images/jaguar/3/image-thumb__3__print_backgroundimage/auto-3095119.aaa
https://demo.pimcore.fun/Car%20Images/jaguar/3/image-thumb__3__print_backgroundimage/auto-3095119.aab
https://demo.pimcore.fun/Car%20Images/jaguar/3/image-thumb__3__print_backgroundimage/auto-3095119.aac 

Each request creates a new copy of the original (jpg) thumbnail file. The server can be flooded with a bunch of files.

Code for this mechanism is here: https://github.com/pimcore/pimcore/blob/11.x/models/Asset/Service.php#L621-L623

### Proposed Solution

Use same filtered list from "All Imagick supported Fileformats are served without filtering" and do not copy the arbitrary file to disk, just serve the original image file under the "new" name.

## 3. Scaling Factor is not limited and can be modified via url

We can scale each thumbnail to an arbitrary factor with @<float>x added to the request url.

For example: 

https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@1x.avif
https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@1.01x.avif
https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@1.08x.avif
https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@2x.avif

If the thumbnail config allows "forced" resizing, we could also do something like:

https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@192x.avif  

Each request will create a new file, flooding the server with more files.
If the factor is big enough, we can also max out the CPU with a single request for quite some time (only really a problem with "forced")

In combination with the first vulnerability we can also generate (large) text files for scaled images:

https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@4x.txt (6.6 mb filesize)

### Proposed solution

Limit scale factors with an allowlist:

```yaml
pimcore:
    thumbnails:
    	allowed_scale_factors: [1.25, 1.5, 2, 4]
```


# Impact
All Pimcore Instances are affected, as far as we can see, also all versions

**Details****1\. All Imagick supported Fileformats are served without filtering**

The Thumbnail endpoint does not check against any filters what file formats should be served. We can transcode the image in all formats imagemagick supports. With that we can create Files that are much larger in filesize than the original. For example we can create a .txt file for all thumbnails, and we get the text representation of the image.

We can demonstrate that with the pimcore demo:

This Thumbnail is found on the Frontend: https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb\_\_317\_\_standardTeaser/11.8c64bd89.avif (12kb Filesize)

We can generate a text representation by simply changing the file extension: https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb\_\_317\_\_standardTeaser/11.8c64bd89.txt (4.59mb Filesize)

Other (large) fileformats we tested: ftxt, dip, bmp, bmp3, bmp2, farbfeld, cmyk, cmyka, ycbcr, ycbcra and many more (just check imagemagick supported formats)

With that we can fill the available space of a server really easy.

With formats like yaml or json we can also expose exif data of the original image file - could be a concern with gps data in user uploaded images.

**TLDR**

*   we can generate all imagemagick supported formats with all thumbnail configs
*   all configs were the format is set to "auto (Web-optimized)" are vulnerable
*   private (exif) data can be exposed.
*   We can flood the the server with a bunch of files that are a multiple magnitudes of the original thumbnail size (see txt example), for all thumbnail configs, with every image that we find (scriptable)

**Proposed Solution**

Implement a list of allowed formats that the developer can modify if needed, if a file is requested in another format than listed, pimcore should return either "/bundles/pimcoreadmin/img/filetype-not-supported.svg" or a 404.

pimcore:
    thumbnails:
    	allowed\_formats: \['jpg', 'png', 'avif', 'webp', 'gif'\]

For non-maintained Pimcore versions (<11), the webserver config could be used to only serve files that should be allowed.

**2\. Non Web optimized file formats (ORIGINAL, JPG, PNG) creates duplicated files on Server**

With Thumbnail config that are configured to serve non web optimized file formats (such as ORIGINAL, jpg, png, print, etc) we can create files with arbitrary file formats that are saved to disk.

For example, the thumbnail configuration "print\_backgroundimage" (in the pimcore demo) can be used to create files such as:

https://demo.pimcore.fun/Car%20Images/jaguar/3/image-thumb\_\_3\_\_print\_backgroundimage/auto-3095119.aaa  
https://demo.pimcore.fun/Car%20Images/jaguar/3/image-thumb\_\_3\_\_print\_backgroundimage/auto-3095119.aab  
https://demo.pimcore.fun/Car%20Images/jaguar/3/image-thumb\_\_3\_\_print\_backgroundimage/auto-3095119.aac

Each request creates a new copy of the original (jpg) thumbnail file. The server can be flooded with a bunch of files.

Code for this mechanism is here: https://github.com/pimcore/pimcore/blob/11.x/models/Asset/Service.php#L621-L623

**Proposed Solution**

Use same filtered list from "All Imagick supported Fileformats are served without filtering" and do not copy the arbitrary file to disk, just serve the original image file under the "new" name.

**3\. Scaling Factor is not limited and can be modified via url**

We can scale each thumbnail to an arbitrary factor with @x added to the request url.

For example:

https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb\_\_317\_\_standardTeaser/11.8c64bd89@1x.avif  
https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb\_\_317\_\_standardTeaser/11.8c64bd89@1.01x.avif  
https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb\_\_317\_\_standardTeaser/11.8c64bd89@1.08x.avif  
https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb\_\_317\_\_standardTeaser/11.8c64bd89@2x.avif

If the thumbnail config allows "forced" resizing, we could also do something like:

https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb\_\_317\_\_standardTeaser/11.8c64bd89@192x.avif

Each request will create a new file, flooding the server with more files.  
If the factor is big enough, we can also max out the CPU with a single request for quite some time (only really a problem with "forced")

In combination with the first vulnerability we can also generate (large) text files for scaled images:

https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb\_\_317\_\_standardTeaser/11.8c64bd89@4x.txt (6.6 mb filesize)

**Proposed solution**

Limit scale factors with an allowlist:

pimcore:
    thumbnails:
    	allowed\_scale\_factors: \[1.25, 1.5, 2, 4\]

**Impact**

All Pimcore Instances are affected, as far as we can see, also all versions

**References**

*   GHSA-277c-5vvj-9pwx
*   https://nvd.nist.gov/vuln/detail/CVE-2024-32871
*   pimcore/pimcore@38af70b
*   pimcore/pimcore@a6821a1

GHSA-277c-5vvj-9pwx: Flooding Server with Thumbnail files

Windows Recall takes a screenshot every five seconds. Cybersecurity researchers say the system is simple to abuse—and one ethical hacker has already built a tool to show how easy it really is.

When Microsoft CEO Satya Nadella revealed the new Windows AI tool that can answer questions about your web browsing and laptop use, he said one of the “magical” things about it was that the data doesn’t leave your laptop; the Windows Recall system takes screenshots of your activity every five seconds and saves them on the device. But security experts say that data may not stay there for long.

Two weeks ahead of Recall’s launch on new Copilot+ PCs on June 18, security researchers have demonstrated how preview versions of the tool store the screenshots in an unencrypted database. The researchers say the data could easily be hoovered up by an attacker. And now, in a warning about how Recall could be abused by criminal hackers, Alex Hagenah, a cybersecurity strategist and ethical hacker, has released a demo tool that can automatically extract and display everything Recall records on a laptop.

Dubbed TotalRecall—yes, after the 1990 sci-fi film—the tool can pull all the information that Recall saves into its main database on a Windows laptop. “The database is unencrypted. It’s all plain text,” Hagenah says.⁩ Since Microsoft revealed Recall in mid-May, security researchers have repeatedly compared it to spyware or stalkerware that can track everything you do on your device. “It’s a Trojan 2.0 really, built in,” Hagenah says, adding that he built TotalRecall—which he’s releasing on GitHub—in order to show what is possible and to encourage Microsoft to make changes before Recall fully launches.

The company unveiled Recall as part of a Surface laptop event last month. The tool continuously takes screenshots of whatever’s happening on your PC. Recall is intended to allow people to “retrieve” things you’ve done on your machine—whether it’s web pages you’ve visited or messages you’ve been sent—using natural language search queries. Microsoft’s description of the tool says Recall could be used to search for recipes you’ve looked at online but whose websites you’ve forgotten.

TotalRecall, Hagenah says, can automatically work out where the Recall database is on a laptop and then make a copy of the file, parsing all the data as it does so. While Microsoft’s new Copilot+ PCs aren’t out yet, it’s possible to use Recall by emulating a version of the devices. “It does everything automatically,” he says. The system can set a date range for extracting the data—for instance, pulling information from only one specific week or day. Pulling one day of screenshots from Recall, which stores its information in an SQLite database, took two seconds at most, Hagenah⁩ says.

Included in what the database captures are screenshots of whatever is on your desktop—a potential gold mine for criminal hackers or domestic abusers who may physically access their victim’s device. Images include captures of messages sent on encrypted messaging apps Signal and WhatsApp, and remain in the captures regardless of whether disappearing messages are turned on in the apps. There are records of websites visited and every bit of text displayed on the PC. Once TotalRecall has been deployed, it will generate a summary about the data; it is also possible to search for specific terms in the database.

Hagenah⁩ says an attacker could get a huge amount of information about their target, including insights into their emails, personal conversations, and any sensitive information that’s captured by Recall.

Hagenah’s work builds on findings from cybersecurity researcher Kevin Beaumont, who has detailed how much information Recall captures and how easy it can be to extract it. Beaumont also says he has built a website where a Recall database can be uploaded and instantly searched. He says he hasn’t released the site yet, to allow Microsoft time to potentially change the system. “InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade—now these can just be easily modified to support Recall,” Beaumont writes.

The criticisms come as hacks of Microsoft systems have led to various US government data breaches; Nadella has said security should be Microsoft’s “top priority.” Microsoft did not respond to WIRED’s request for comment about the security features of Recall by the time of publication.

Recall’s privacy pages say it is possible to disable saving screenshots (effectively turning Recall off), pause the system temporarily, filter applications where screenshots are taken, and delete what is gathered at any time. Recall runs on the laptop itself, storing data it captures on the device and not sending this information to Microsoft’s servers. Hagenah⁩ says this claim appears to be true, with no signs that data is sent to Microsoft.

Microsoft is, at least, aware of some of the possible privacy and security-related issues with Recall: Its help pages say the system does not perform any content moderation on what is contained in the images it saves. This means, Microsoft says in the guide, that it won’t “hide information such as passwords or financial account numbers.” Security researchers have already been able to extract passwords from Recall.

Recall’s main database is stored on the laptop’s system directory, and while it needs administrator rights to access, privilege escalation attacks have been around for years, making it theoretically possible for an attacker to gain initial access to a device remotely.

Hagenah⁩ says that in cases of employers with “bring your own devices” policies, there’s a risk of someone leaving with huge volumes of company data saved on their laptops. That’s a particular risk if they’re disgruntled or leave on bad terms, he says. The UK’s data protection regulator, the Information Commissioner’s Office, has asked Microsoft to provide more details about Recall and its privacy.

While Recall remains as a “preview” feature and, according to Microsoft’s small print, could change before it launches, Beaumont writes in his research that the company “should recall Recall and rework it to be the feature it deserves to be, delivered at a later date.” He adds: “They also need to review the internal decisionmaking that led to this situation, as this kind of thing should not happen.”

This Hacker Tool Extracts All the Data Collected by Windows’ New Recall AI

Red Hat Security Advisory 2024-3576-03 - New images are available for Red Hat build of Keycloak 24.0.5 and Red Hat build of Keycloak 24.0.5 Operator, running on OpenShift Container Platform.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3576.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Low: Red Hat build of Keycloak 24.0.5 Images enhancement and security updateAdvisory ID:        RHSA-2024:3576-03Product:            Red Hat build of KeycloakAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3576Issue date:         2024-06-03Revision:           03CVE Names:          CVE-2024-4540====================================================================Summary: New images are available for Red Hat build of Keycloak 24.0.5 and Red Hat build of Keycloak 24.0.5 Operator, running on OpenShift Container PlatformRed Hat Product Security has rated this update as having a security impact ofLow. A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.Red Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 24.0.5 clusters.This erratum releases new images for Red Hat build of Keycloak 24.0.5 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.Security Fix(es):* exposure of sensitive information in Pushed Authorization Requests (PAR)KC_RESTART cookie (CVE-2024-4540)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:CVEs:CVE-2024-4540References:https://access.redhat.com/security/updates/classification/#lowhttps://bugzilla.redhat.com/show_bug.cgi?id=2279303

Red Hat Security Advisory 2024-3576-03

Red Hat Security Advisory 2024-3575-03 - An update is now available for Red Hat build of Keycloak.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3575.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Low: Red Hat build of Keycloak 24.0.5 enhancement and security updateAdvisory ID:        RHSA-2024:3575-03Product:            Red Hat build of KeycloakAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3575Issue date:         2024-06-03Revision:           03CVE Names:          CVE-2024-4540====================================================================Summary: An update is now available for Red Hat build of Keycloak.Red Hat Product Security has rated this update as having a security impact ofLow. A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:Red Hat build of Keycloak 24.0.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.Security Fix(es):* exposure of sensitive information in Pushed Authorization Requests (PAR) KC_RESTART cookie (CVE-2024-4540)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:CVEs:CVE-2024-4540References:https://access.redhat.com/security/updates/classification/#lowhttps://bugzilla.redhat.com/show_bug.cgi?id=2279303

Tag

#web