Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 19 Apr 2014 13:39:46 -0400 (EDT)
Subject: Re: Remote code execution in Pimcore CMS

Hash: SHA1

> I have discovered a PHP object injection in Pimcore CMS.

MITRE currently doesn't look for "CVE request" in the Subject line.
For some posts, the right number of CVE IDs can be determined more
quickly than for others. So, in this case, we'll just ask for
additional information.

pimcore-2.1.0.txt says:

  Payload [1] abuses several Zend classes to achieve remote code

and then says:

  payload [3] does not work on Pimcore versions between 2.0.1 and

Is it also true that:

  payload [1] does not work on Pimcore versions between 2.0.1 and


The payload [1] code is obviously a close derivative of the payload
[3] code, but they are not identical. We're not sure whether there was
an important reason for mentioning [3] specifically.

For this statement:

  Version 2.0.0 might be vulnerable if anyone is running it
  on PHP versions <= 5.3.3... which according to the developers is
  not possible, but the requirement was only enforced in 2.0.1.

First, we think that "Version 2.0.0 might be vulnerable" means
"Version 2.0.0 might be vulnerable to exactly the same remote code
execution problem that existed in 1.4.9 to 1.4.10 (inclusive)."

Also, we think you mean that the correct set of affected versions has
two possibilities. The set is possibly disputed by the developers, but
it is either:

   1.4.9 to 1.4.10 (inclusive): Remote code execution (when server is running PHP <= 5.3.3).


   1.4.9 to 1.4.10 (inclusive) and 2.0.0: Remote code execution (when server is running PHP <= 5.3.3).

Also, based on it seems
that version 1.4.10 was the last 1.x version. In other words, it's not
a situation in which the problem was fixed within a later 1.x version,
but then reappeared in 2.0.0 because of a regression.

Is all of this correct?

It seems very likely that the right number of CVE IDs is two, but the
questions above can clarify that. (Separate CVE IDs are needed when
the usable attack methodology differs across versions.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.