Pimcore vulnerable to disclosure of system and database information behind /admin firewall

Summary

Navigating to /admin/index/statistics with a logged in Pimcore user (not an XmlHttpRequest because of this check: IndexController:125) exposes information about the Pimcore installation, PHP version, MYSQL version, installed bundles and all database tables and their row count in the system.

> The web server should not return any product and version information of the components used. The table names and row counts should not be exposed.

Details

/admin/index/statistics returns the following JSON-response:

{
    {
        "instanceId": "...",
        "pimcore_major_version": 11,
        "pimcore_version": "v11.3.1",
        "pimcore_hash": "3ecd39f21dbdd25ffdf4bec6e2c860eccfd3d008",
        "pimcore_platform_version": "v2024.2",
        "php_version": "8.3.8",
        "mysql_version": "10.11.8-MariaDB-ubu2204",
    "bundles": [
        // all installed bundles
    ],
    "tables": [
        // all tables and their row count, e.g:
        {
            "name": "users",
            "rows": 2
        },
    ]
}

Information about the Pimcore Version can also be seen here:

In a current Version:

In Pimcore Version 10.6.9:

PoC

• [Demo App](https://demo.pimcore.fun/admin) with credentials user: admin and pass: demo
• Watching Network-Tab in Developer-Tools and looking for /admin/index/statistics

Impact

Only for logged in Pimcore users possible.

Workaround and Patch

We patched the following additional check for Pimcore v10.6.9. This uses an app-specific class but any user permission would be ok.
This resolves navigating to /admin/index/statistics.

diff --git a/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php b/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php
--- a/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php    (revision dd81ef4c666b18c254333867a60f6ed455025076)
+++ b/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php    (date 1721225746781)
@@ -15,6 +15,7 @@

namespace Pimcore\Bundle\AdminBundle\Controller\Admin;

+use App\Constant\UserPermission;
use Doctrine\DBAL\Connection;
use Exception;
use Pimcore\Analytics\Google\Config\SiteConfigProvider;
@@ -142,6 +143,12 @@
throw $this->createAccessDeniedHttpException();
}

+        $user = $this->tokenResolver->getUser();
+
+        if (!$user->isAdmin() && !$user->isAllowed(UserPermission::ADMIN_INDEX_VIEW)) {
+            throw $this->createAccessDeniedException();
+        }
+
// DB
try {
$tables = $db->fetchAllAssociative('SELECT TABLE_NAME as name,TABLE_ROWS as `rows` from information_schema.TABLES
````

For the Pimcore versions in the UI we used the IndexActionSettingsEvent. This works for Versions < Pimcore 11:

```php
<?php

namespace App\EventListener\Admin;

use App\Constant\UserPermission;
use Pimcore\Bundle\AdminBundle\Event\AdminEvents;
use Pimcore\Event\Admin\IndexActionSettingsEvent;
use Pimcore\Security\User\TokenStorageUserResolver;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;

/**
* @deprecated and cannot be used in Pimcore 11
*/
class PimcoreVersionUIGuardSubscriber implements EventSubscriberInterface
{
    public function __construct(private readonly TokenStorageUserResolver $tokenResolver)
    {
    }

    public static function getSubscribedEvents()
    {
        return [
            AdminEvents::INDEX_ACTION_SETTINGS => ['onIndexActionSettingsEvent'],
        ];
    }

    public function onIndexActionSettingsEvent(IndexActionSettingsEvent $event): void
    {
        $user = $this->tokenResolver->getUser();
        if ($user->isAdmin() || $user->isAllowed(UserPermission::ADMIN_INDEX_VIEW)) {
            return;
        }

        $settings = $event->getSettings();
        $settings['instanceId'] = '';
        $settings['version'] = '';
        $settings['build'] = '';
        $event->setSettings($settings);
    }
}