Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[11.5.0]SQL Injection Vulnerability #1470

Closed
HolaAsuka opened this issue Aug 29, 2021 · 1 comment
Closed

[11.5.0]SQL Injection Vulnerability #1470

HolaAsuka opened this issue Aug 29, 2021 · 1 comment
Assignees
Milestone

Comments

@HolaAsuka
Copy link

HolaAsuka commented Aug 29, 2021

The following is the detail about this vulnerability I found in Piwigo 11.5.0:
First, visit URL/admin.php and login, then click Album-Move. On this page, click ORDER on the right side.

1
Then we can see:

2
Select default, use Burpsuite during clicking APPLY.

3
Then in sqlmap:

python sqlmap.py -r post.txt -o --dbms=MySQL
6

See admin\cat_move.php:

8

Here there seems to be no confirmation of the legitimacy of the parameter $_POST[id]. And other parameters are legal so query is done.

Here is the manual injection test:

(Load successfully after sleeping 5 seconds)
4

Thanks for reading!

@ajakk
Copy link

ajakk commented May 28, 2022

Has this been fixed? It has been assigned CVE-2021-40317.

MatthieuLP pushed a commit that referenced this issue Sep 28, 2022
@MatthieuLP MatthieuLP added this to the 13.0.0RC5 milestone Sep 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants