Pimcore CMS 12.3.8 Twig Sandbox Bypass via SecurityPolicy checkMethodAllowed

An authenticated administrative attacker can supply a malicious Twig template through the DataObject ClassDefinition Layout\Text component. Because the custom Twig `SecurityPolicy` had empty `checkMethodAllowed()` and `checkPropertyAllowed()` implementations [patch_id=6466818], the sandbox did not block method calls or property reads on any PHP object reachable from the template context. The attacker can chain method calls (e.g. `object.getDao().db.fetchOne(...)`) to read arbitrary files, execute arbitrary database queries, and—by leveraging PHP object gadget chains—achieve remote code execution. The `pimcore_*` function wildcard in `checkSecurity()` further broadens the bypass to all Pimcore Twig functions.

The vulnerability resides in `lib/Twig/Sandbox/SecurityPolicy.php` in Pimcore 12.3.8. The `checkMethodAllowed()` and `checkPropertyAllowed()` methods previously contained only a comment `//do not perform any checks`, meaning no sandbox restrictions were enforced on method calls or property accesses on objects in Twig templates. The `checkSecurity()` method also allowed any function starting with `pimcore_` to pass without restriction.

The patch replaces the empty `checkMethodAllowed()` and `checkPropertyAllowed()` bodies with iteration over a `BLOCKED_CLASSES` constant containing sensitive infrastructure classes (`AbstractDao`, `Connection`, `PDO`, `PDOStatement`, `ContainerInterface`, `Process`). If the object being accessed is an instance of any blocked class, a `SecurityNotAllowedMethodError` or `SecurityNotAllowedPropertyError` is thrown, preventing the template from traversing into database or infrastructure layers. The patch also corrects the comment in `checkSecurity()` but does not remove the `pimcore_*` wildcard.