SQL Injection in pimcore/pimcore

Valid

Reported on

Jan 9th 2022

Description

The storeId parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection.

Proof of Concept

Add items to Classification Store: Key definition, Group,...
Injection (boolean base):

https://demo.pimcore.fun/admin/classificationstore/properties?_dc=1639830472106&storeId=1))+and+((1=2&page=1&start=0&limit=25

Impact

A successful attack may result the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, write file to server lead to Remote code Execute, or write script to extract data

Occurrences

ClassificationstoreController.php L1245

We are processing your report and will contact the pimcore team within 24 hours. 2 years ago

We have contacted a member of the pimcore team and are waiting to hear back 2 years ago

We have sent a follow up to the pimcore team. We will try again in 7 days. 2 years ago

Bernhard Rusch validated this vulnerability 2 years ago

laladee has been awarded the disclosure bounty

The fix bounty is now up for grabs

Bernhard Rusch marked this as fixed with commit 66281c 2 years ago

Bernhard Rusch has been awarded the fix bounty

This vulnerability will not receive a CVE

ClassificationstoreController.php#L1245 has been validated

to join this conversation