Pimcore Blind SQL Injection Vulnerability in Admin Search Find API

A blind SQL injection vulnerability has been identified in the Pimcore Admin Search Find API, affecting versions prior to 12.3.1 and 11.5.14. The issue arises from an incomplete SQL injection patch that allows authenticated attackers to inject SQL payloads through the 'fields[]' parameter. Although a previous mitigation attempt removed SQL comments and intercepted syntax errors, it failed to address other injection methods. As a result, attackers can exploit this vulnerability to infer database information, potentially leading to a full database compromise, depending on database privileges.

Impact

Exploitation of this vulnerability allows for blind SQL injection, where an attacker can execute SQL queries that are not visible in the application response but can be inferred based on the application's behavior. This could lead to unauthorized data access, such as disclosing sensitive database information or, in some cases, compromising the entire database.

Reproduction

To reproduce this vulnerability, send a GET request to the '/admin/search/search/find' endpoint with a crafted 'fields[]' parameter. The injection can be performed using boolean-based or time-based blind SQL injection techniques. For boolean-based injection, use a payload that evaluates a condition (e.g., 'field1 AND (SELECT CASE WHEN (1=1) THEN 1 ELSE 0 END)=1'). For time-based injection, use a payload that causes a delay (e.g., 'field1 AND IF(1=1,SLEEP(5),0)').

Remediation

Users should update to Pimcore versions 12.3.1 or 11.5.14, where this vulnerability has been fixed.