Piwigo v2.9.2 - SQL injection in administration panel
Common Vulnerability Scoring System:
Product & Service Introduction:
Piwigo is photo gallery software for the web, built by an active community of users and developers. Freely available extensions can be used to customize Piwigo. It is written in PHP using MySQL as a database server.
Abstract Advisory Information:
An SQL injection has been discovered in the administration panel of Piwigo (version 2.9.2).
Vulnerability Disclosure Timeline:
2018-02-10: Requested CVE ID
2018-02-11: Informed vendor
2018-02-21: Acknowledged by vendor
2018-02-22: Patch created by vendor
Product: Piwigo - Content Management System (Web-Application) 2.9.2
Requires admin privileges
Low User Interaction
Independent Security Research
Technical Details & Description:
An SQL injection has been discovered in the administration panel of Piwigo v2.9.2. The vulnerability allows remote attackers that are authenticated as administrator to inject SQL code into a query. This could result in full information disclosure.
The SQL injection vulnerability was found in admin/tags.php and is done by injecting SQL code in the 'tags' POST variable. This variable is only sanitized by addslashes() and is not encapsulated by quotes in the concatenated SQL string allowing the injection to work. Furthermore, the result set is part of the page output allowing information disclosure about other tables in the database.
The POST variables 'edit_list' and 'merge_list' are also vulnerable to this attack, however, no exploit exist to disclose information through these variables. A separate vulnerability report was made for 'edit_list' (CVE-2017-16893).
The security risk of the vulnerability is estimated as low with a CVSS score of 3.8. Exploitation of the web vulnerability requires the attacker to be authenticated as administrator.
Proof of Concept (PoC):
Once the attacker obtains a session of an administrator, the attacker can then send a POST request with a specially crafted to /admin.php?page=tags as follows:
POST http://localhost/piwigo/admin.php?page=tags HTTP/1.0
Cookie: <ADMIN COOKIE>
The result page will have the password hashes of all users at this line:
"The following 4 keywords have been deleted : XXXX, XXXX, XXXX, XXXX"
Solution - Fix & Patch:
Introduce further sanitization of the $_POST['edit_list'], $_POST['merge_list'], and $_POST['tags'] variable by limiting the input to an array of integers only.
The security risk of this SQL injection that requires admin privileges is estimated to be low (CVSS score 3.8)
Credits & Authors:
Jorrit Kronjee <jorrit at wafel dot org>