Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical: Potential Command Injection Vulnerability in Parameter Handling (Version 4.1.3) #502

Closed
RalfHuesingBTC opened this issue Jan 8, 2025 · 1 comment
Closed

Critical: Potential Command Injection Vulnerability in Parameter Handling (Version 4.1.3) #502

RalfHuesingBTC opened this issue Jan 8, 2025 · 1 comment

Comments

@RalfHuesingBTC
Copy link

Q A
Bug report? yes
Feature request? no
BC Break report? no
RFC? no

Hello,

We are currently using pimcore-formbuilder version 4.1.3 in our Pimcore 10 environment. During a recent security audit, a critical issue was identified in the handling of user inputs for form parameters.

The vulnerability appears to allow command injection via certain form parameters. Specifically, the following behavior was observed:

The parameter formbuilder_3[name_fieldset][0][lastname] was manipulated to include a malicious payload:
& ping -c 1 malicious-domain.com
This payload was processed by the application, resulting in a DNS request to the attacker's domain.
The vulnerability aligns with CWE-78: OS Command Injection and has a CVSS score of 9.8 in our analysis. This suggests the affected logic might improperly handle user input and pass it into a system command.

Reproduction Steps:

Submit a form built using pimcore-formbuilder with a crafted payload in a text field (e.g., lastname).
Observe the application's behavior: a DNS query or system command is executed with the provided input.
Questions:

Has this issue been identified and resolved in newer versions (e.g., 4.5.6)?
Are there any known fixes or patches for version 4.1.3 that we can apply until an upgrade is possible?
Are there any specific release notes or changelogs addressing such input validation issues?

We would appreciate any guidance on whether this issue is known, and if upgrading to version 4.5.6 addresses it.

Thank you for your support,
Ralf Huesing
@solverat
Copy link
Member

solverat commented Jan 8, 2025
edited
Loading

Hey @RalfHuesingBTC, thanks for the investigation!

Formbuilder uses the symfony form component to process request data. There are no additional modifications during this process. I also was not able to reproduce it.

But maybe there is something within the workflow processes or even in your application.

Could you provide me some more information:

  • Symfony Version
  • Formbuilder Workflow Configuration of the affected form

Since this is a (potential) security issue, please respond via email ([email protected]).

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@solverat @RalfHuesingBTC