Summary

A vulnerability in Part-DB 1.17.2 allows any authenticated user to upload a profile picture with a misleading file extension (e.g., .jpg.txt), resulting in a persistent 500 Internal Server Error when attempting to view or edit that user’s profile. This effectively makes the profile permanently inaccessible via the UI for both users and administrators, constituting a Denial of Service (DoS) within the user management interface.

Details

The issue lies in the file src/Services/Attachments/AttachmentURLGenerator.php, specifically in the getThumbnailURL() method, which assumes the uploaded file is a valid image solely based on its file extension. This leads to an unhandled exception when the file has a valid image binary but a misleading extension (e.g., .jpg.txt), causing persistent server errors during thumbnail generation.

if (!$attachment->isPicture()) {
    throw new InvalidArgumentException('Thumbnail creation only works for picture attachments!');
}

This method is called when rendering user profiles through the template templates/admin/user_admin.html.twig, in the following block:

{% block preview_picture %}
    <img src="{{ avatar_helper.avatarURL(entity) }}" style="height: 50px;">
{% endblock %}

If the file includes a valid-looking image extension (e.g., .jpg) but is not properly recognized as a picture (due to the actual extension being .jpg.txt), the function throws an uncaught exception. This consistently breaks the rendering process and returns a 500 Internal Server Error any time the affected user’s profile is accessed.

PoC

1. Log in as a user with sufficient permissions to change their avatar (e.g., an admin or a user with profile editing rights).

2. Navigate to /en/user/settings.

3. Upload a valid image file with filename with an extra extension (e.g., .jpg.txt)

4. Submit the form to save the user settings.

5. Now attempt to:

   • Revisit /en/user/settings as the same user.
   • Access or manage the affected user from the admin panel.

Result:
Both actions will consistently trigger a 500 Internal Server Error
Errors:

• [previous exception] [object] (InvalidArgumentException(code: 0): Thumbnail creation only works for picture attachments! at /var/www/html/src/Services/Attachments/AttachmentURLGenerator.php:120)

• 

PoC Video
https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view

Impact

• The affected user cannot access their own profile settings (/en/user/settings), effectively locking themselves out of avatar-related functionality.
• Administrators are unable to view, edit, or delete the affected user from the admin panel. Every attempt to render the user’s avatar will consistently crash the interface with a 500 error.
• The broken state is persistent and cannot be resolved through the UI; manual intervention (e.g., filesystem cleanup or database patching) is required to restore access.
• The issue does not involve remote code execution, privilege escalation, or data leakage, but it disrupts core functionality and can degrade admin operations if triggered intentionally by multiple users.