Confidential information provided to user with no permissions in pimcore/pimcore

Valid

Reported on

Jun 19th 2023


Description

Unauthorized users are able to obtain sensitive information about the system's runtime environment, features they have no permissions to access, etc.

Proof of Concept

  1. create a new user without any permissions attached
  2. do NOT assign any permissions to the user
  3. do NOT add any locations to the user's workspace
  4. do NOT add it to any roles, etc
  5. log in as the said user
  6. UI will be almost completely empty, but still several fetch requests in console are providing information the user shouldn't have access to

Impact

Endpoints

/admin/index/statistics

  • includes PHP, MySQL and Pimcore versions
  • includes installed bundles
  • includes list of all database tables, each with a number of rows available in it

/admin/settings/get-available-sites

  • enumerates available sites and their configuration (the user doesn't have permissions to access sites)

/admin/class/get-tree?createAllowed=true

  • enumerates current classes and their configuration (the user doesn't have permissions to access classes)

These were just the requests the UI itself did and they worked, it's quite possible others would work too.

We are processing your report and will contact the pimcore team within 24 hours. 8 months ago
We have contacted a member of the pimcore team and are waiting to hear back 8 months ago
pimcore/pimcore maintainer has acknowledged this report 8 months ago
Divesh Pahuja
8 months ago

Maintainer


Hi @dkarlovi we can validate the report for "/settings/get-available-sites" & "/class/get-tree" endpoints and it will be fixed with respective permissions.

However "/index/statistics" doesn't seems to be exposing information which leads to attack since this can only be called by the trusted application users and needs a valid admin session. The trusted user can check pimcore version on UI, php version is already in response headers & installed tables are listed on docs explaining the tables installed by the application. yes, we can strip down the mysql version to minor.

Dalibor
7 months ago

Researcher


Hey @dvesh,

I don't agree with your estimate of "/index/statistics":

php version is already in response headers

That should absolutely not be the case on any production deployment of PHP, "expose_php=off" should be set on production deployments of PHP by default and is standard practice on for example RHEL and RHEL derivates.

installed tables are listed on docs

This is true, but this seems to be both enumerating all tables, not just the ones in the docs (which I suppose is the point, your telemetry wouldn't make sense to just copy the info you already know will be there) and the amount of data in each, either of which is definitely not information an unauthorized user should have.

Also, don't forget this part

includes installed bundles

This is also privileged information which an unauthorized user shouldn't have.

Divesh Pahuja validated this vulnerability 7 months ago
dkarlovi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.6.4 with commit 023752 7 months ago
The fix bounty has been dropped
This vulnerability has now been published 7 months ago
to join this conversation