GHSA-c8hj-w239-5gvf

Source
https://github.com/advisories/GHSA-c8hj-w239-5gvf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-c8hj-w239-5gvf/GHSA-c8hj-w239-5gvf.json
Aliases
Published
2023-11-15T14:49:41Z
Modified
2023-11-15T23:32:43.599038Z
Details

Impact

Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.

In the case of pimcore, the fopen() function here doesn't have an error handle when the file doesn't exist on the server so the server response raises the full path "fopen(/var/www/html/var/tmp/export-{ uniqe id}.csv)"

Patches

Apply patch https://github.com/pimcore/admin-ui-classic-bundle/commit/10d178ef771097604a256c1192b098af9ec57a87.patch

Workarounds

Update to version 1.2.1 or apply patches manually

References

https://huntr.com/bounties/4af4db18-9fd4-43e9-8bc6-c88aaf76839c/

References

Affected packages

Packagist / pimcore/admin-ui-classic-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
1.2.1

Affected versions

v1.*

v1.0.0-BETA1
v1.0.0-RC1
v1.0.0-RC2
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.1.0-RC1
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.2
v1.2.0-RC1