Untitled

Document Title:
===============
Piwigo v2.9.2 - SQL injection in administration panel


CVE-ID:
=======
CVE-2018-6883


Release Date:
=============
2018-02-11


References:
=============
https://github.com/Piwigo/Piwigo/issues/839


Common Vulnerability Scoring System:
====================================
3.8 (AV:N/AC:H/Au:S/C:C/I:N/A:N/E:F/RL:TF/RC:UC/CDP:N/TD:ND/CR:ND/IR:ND/AR:ND)


Vulnerability Class:
====================
SQL injection


Product & Service Introduction:
===============================
Piwigo is photo gallery software for the web, built by an active community of users and developers. Freely available extensions can be used to customize Piwigo. It is written in PHP using MySQL as a database server.


Abstract Advisory Information:
==============================
An SQL injection has been discovered in the administration panel of Piwigo (version 2.9.2).


Vulnerability Disclosure Timeline:
==================================
2018-02-10: Requested CVE ID
2018-02-11: Informed vendor
2018-02-21: Acknowledged by vendor
2018-02-22: Patch created by vendor


Discovery Status:
=================
Fixed


Affected Product(s):
====================
Piwigo
Product: Piwigo - Content Management System (Web-Application) 2.9.2


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Low


Authentication Type:
====================
Requires admin privileges


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
An SQL injection has been discovered in the administration panel of Piwigo v2.9.2. The vulnerability allows remote attackers that are authenticated as administrator to inject SQL code into a query. This could result in full information disclosure.

The SQL injection vulnerability was found in admin/tags.php and is done by injecting SQL code in the 'tags' POST variable. This variable is only sanitized by addslashes() and is not encapsulated by quotes in the concatenated SQL string allowing the injection to work. Furthermore, the result set is part of the page output allowing information disclosure about other tables in the database.

The POST variables 'edit_list' and 'merge_list' are also vulnerable to this attack, however, no exploit exist to disclose information through these variables. A separate vulnerability report was made for 'edit_list' (CVE-2017-16893).

The security risk of the vulnerability is estimated as low with a CVSS score of 3.8. Exploitation of the web vulnerability requires the attacker to be authenticated as administrator.

Request Method(s):
[+] POST

Vulnerable File(s):
[+] admin/tags.php

Vulnerable Parameter(s):
[+] edit_list
[+] merge_list
[+] tags

Affected Module(s):
[+] Backend


Proof of Concept (PoC):
=======================
Once the attacker obtains a session of an administrator, the attacker can then send a POST request with a specially crafted to /admin.php?page=tags as follows:

POST http://localhost/piwigo/admin.php?page=tags HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Cookie: <ADMIN COOKIE>

pwg_token=<TOKEN>&tags%5B%5D=-1)%20UNION%20(SELECT%20password%20FROM%20piwigo_users&selectAction=delete&confirm_deletion=1&delete=

The result page will have the password hashes of all users at this line:

"The following 4 keywords have been deleted : XXXX, XXXX, XXXX, XXXX"


Solution - Fix & Patch:
=======================
Introduce further sanitization of the $_POST['edit_list'], $_POST['merge_list'], and $_POST['tags'] variable by limiting the input to an array of integers only.


Security Risk:
==============
The security risk of this SQL injection that requires admin privileges is estimated to be low (CVSS score 3.8)


Credits & Authors:
==================
Jorrit Kronjee <jorrit at wafel dot org>