New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[12.x] synchronisation, quote not supported in album name #1572
Comments
Same here still, Fedora 35 Very frustrating, as no errors, just the green "created" bar points at id 0 Piwigo 12.2.0 |
Hi @celogeek |
Well, this works:
It really looks like SQL injections is possible. |
Oh dear. Unless I miss something, cat_list.php passed the POST of the name direct. Maybe the parent id too
functions.php then does totally the wrong thing.
multiple other occurrences, simple SQL injection. I've contacted Piwigo via the page on their web site. I can't see a way to tag this issue as being sensitive and hide it. At least it requires authorised user (I hope, not checked)... |
hello |
@MatthieuLP @plegall #security |
It might be able to "fix" this with addslashes in the right place... Seems to be used very sparingly in the current code however. Would the project be open to a patch that added this ? |
@tomchiverton in
Maybe you did, but certainly you don't know what happens if $_GET['parent_id'] contains anything else than digits :-) It would immediately fail. It would never go into the SQL query. Security matters to us. It's not because it's not done "the way you expect it to be" that it's not done another way :-) So unless you have a case where a faulty |
I've changed the title of this issue. It's not an SQL injection per say. It's only a “problem" when adding albums by synchronisation (based on filesystem). I personally think it's a really bad idea to use quotes, spaces, mixing small and capital letters... in file names. You can do it. Your filesystem will let you do it. It remains a bad idea. Who has tried to use "/" character in a filename on Linux? In Piwigo, when you use the synchronisation system to add albums/photos, there is the "physical" (files in the filesystem) layer and the "logical" (database) layer. You can prefectly set the title of your album to "what'ever You Want 专辑" once added in your Piwigo, because it's only in the database, not on the filesystem. |
I use the interface in Admin > Albums > Manage When I add a backslash, it works. |
By the way I've made a tools to sync a full struct with album name, and I temporary add the backslash on the parameters Category Name, until the SQL issue is solve. We can see the SQL with the string replaced directly in the error message. So it is a SQL injection issue. Usually it is highly recommanded to use the binding feature of the SQL drivers to avoid any possible sql injection. What if I use a name like this directly in the interface:
I won't try, but I'm sure it is possible to drop a table or the database just by trying a name like that. |
We can clearly see here what it try to do (just build the SQL string with the input from the browser) |
I created a test table, then tried to create a new album called Vacances'; DROP table newTable; '-- ' but the new table was not removed Some command line fiddling e.g. |
|
How did you do that ? Here when I try to create an album in the admin with a ' in the name, it just refreshes the page and has a green banner saying "Album added Edit album" but the edit link is ..../admin.php?page=album-0 My versions are above. |
The difference I see between you and me is that you're on PHP 8 while I'm on PHP 7. We're going to make some test specifically on PHP 8. Could be related to |
After testing on PHP8 environment, we find that creating albums with a quote breaks the page. |
I'm try to create an album with the name
And it seems the quote breaks the request now. I have some album with quote created with piwigo 11.
I'm using mysqli.
Here the error I see on the page:
As far as I can see, the parameters that come from the browser are injected like that in the query with no protection.
I think the best would be to use binding when doing query, this is dangerous !
The text was updated successfully, but these errors were encountered: