Описание
SQL Injection in Admin download files as zip
Summary
The application allows to create zip files from available files on the site. The parameter "selectedIds", is susceptible to SQL Injection.
Details
downloadAsZipJobsAction escape parameters, but downloadAsZipAddFilesAction not. The following code should be added:
PoC
- Set up an example project as described on https://github.com/pimcore/demon (demo package with example content)
- Log In. Grab the
X-pimcore-csrf-tokenheader from any request to the backend, as well as thePHPSESSIDcookie. - Run the following script, substituting the values accordingly:
- The response is delayed by 6 seconds.
Impact
Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level.
Ссылки
- https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-cwx6-4wmf-c6xv
- https://nvd.nist.gov/vuln/detail/CVE-2024-23646
- https://github.com/pimcore/admin-ui-classic-bundle/commit/363afef29496cc40a8b863c2ca2338979fcf50a8
- https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2006
- https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2087
- https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.3.2
Пакеты
pimcore/admin-ui-classic-bundle
>= 1.0.0, < 1.3.2
1.3.2
Связанные уязвимости
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter `selectedIds` is susceptible to SQL Injection. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. Version 1.3.2 contains a fix for this issue.