CVE-2024-41109
Pimcore vulnerable to disclosure of system and database information behind /admin firewall
Description
### Summary Navigating to `/admin/index/statistics` with a **logged in Pimcore user** (not an XmlHttpRequest because of this check: [IndexController:125](https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/IndexController.php#L125C24-L125C40)) exposes information about the Pimcore installation, PHP version, MYSQL version, installed bundles and all database tables and their row count in the system. > The web server should not return any product and version information of the components used. The table names and row counts should not be exposed. ### Details `/admin/index/statistics` returns the following JSON-response: ``` { { "instanceId": "...", "pimcore_major_version": 11, "pimcore_version": "v11.3.1", "pimcore_hash": "3ecd39f21dbdd25ffdf4bec6e2c860eccfd3d008", "pimcore_platform_version": "v2024.2", "php_version": "8.3.8", "mysql_version": "10.11.8-MariaDB-ubu2204", "bundles": [ // all installed bundles ], "tables": [ // all tables and their row count, e.g: { "name": "users", "rows": 2 }, ] } ``` Information about the Pimcore Version can also be seen here: In a current Version: ](https://github.com/user-attachments/assets/f0f478da-ceca-4bd5-a391-3fe8458fa3d2) ](https://github.com/user-attachments/assets/152f6ad7-2cb3-42eb-bf05-1066a3496d59) In Pimcore Version 10.6.9: ](https://github.com/user-attachments/assets/907fb8d8-81b3-450f-bdb0-3e6193bfc243) ](https://github.com/user-attachments/assets/c4d89b88-f458-4023-a29f-d2ef652b2c3b) ### PoC - [[Demo App](https://demo.pimcore.fun/admin)](https://demo.pimcore.fun/admin) with credentials user: admin and pass: demo - Watching Network-Tab in Developer-Tools and looking for `/admin/index/statistics` ### Impact Only for logged in Pimcore users possible. ### Workaround and Patch We patched the following additional check for Pimcore v10.6.9. This uses an app-specific class but any user permission would be ok. This resolves navigating to `/admin/index/statistics`. ```patch diff --git a/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php b/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php --- a/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php (revision dd81ef4c666b18c254333867a60f6ed455025076) +++ b/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php (date 1721225746781) @@ -15,6 +15,7 @@ namespace Pimcore\Bundle\AdminBundle\Controller\Admin; +use App\Constant\UserPermission; use Doctrine\DBAL\Connection; use Exception; use Pimcore\Analytics\Google\Config\SiteConfigProvider; @@ -142,6 +143,12 @@ throw $this->createAccessDeniedHttpException(); } + $user = $this->tokenResolver->getUser(); + + if (!$user->isAdmin() && !$user->isAllowed(UserPermission::ADMIN_INDEX_VIEW)) { + throw $this->createAccessDeniedException(); + } + // DB try { $tables = $db->fetchAllAssociative('SELECT TABLE_NAME as name,TABLE_ROWS as `rows` from information_schema.TABLES ```` For the Pimcore versions in the UI we used the IndexActionSettingsEvent. This works for Versions < Pimcore 11: ```php <?php namespace App\EventListener\Admin; use App\Constant\UserPermission; use Pimcore\Bundle\AdminBundle\Event\AdminEvents; use Pimcore\Event\Admin\IndexActionSettingsEvent; use Pimcore\Security\User\TokenStorageUserResolver; use Symfony\Component\EventDispatcher\EventSubscriberInterface; /** * @deprecated and cannot be used in Pimcore 11 */ class PimcoreVersionUIGuardSubscriber implements EventSubscriberInterface { public function __construct(private readonly TokenStorageUserResolver $tokenResolver) { } public static function getSubscribedEvents() { return [ AdminEvents::INDEX_ACTION_SETTINGS => ['onIndexActionSettingsEvent'], ]; } public function onIndexActionSettingsEvent(IndexActionSettingsEvent $event): void { $user = $this->tokenResolver->getUser(); if ($user->isAdmin() || $user->isAllowed(UserPermission::ADMIN_INDEX_VIEW)) { return; } $settings = $event->getSettings(); $settings['instanceId'] = ''; $settings['version'] = ''; $settings['build'] = ''; $event->setSettings($settings); } } ```