Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Version <= 12.1.0]XSS vulnerability in the frontend #1582

Closed
Y4tacker opened this issue Dec 15, 2021 · 1 comment
Closed

[Version <= 12.1.0]XSS vulnerability in the frontend #1582

Y4tacker opened this issue Dec 15, 2021 · 1 comment

Comments

@Y4tacker
Copy link

I found that piwigo Front-End can trigger xss,it means when the system administrator can trigger xss after logging into the backend

Please see below for details of the analysis

at first,We found a global filter in include/common.inc.php

1

it just handle GET, POST, COOKIE,then we can think whether it can be broken through other parameters

Then I found out that piwigo records the user's login and logout process

Take the exit process as an example(The login is also the same),in include/functions_user.inc.php

function logout_user()
{
  global $conf;

  trigger_notify('user_logout', @$_SESSION['pwg_uid']);
  pwg_activity('user', @$_SESSION['pwg_uid'], 'logout');

  $_SESSION = array();
  session_unset();
  session_destroy();
  setcookie(session_name(),'',0,
      ini_get('session.cookie_path'),
      ini_get('session.cookie_domain')
    );
  setcookie($conf['remember_me_name'], '', 0, cookie_path(),ini_get('session.cookie_domain'));
}

After that, let's see what the pwg_activity function does in include/functions.inc.php

in this function,There is no filter parameter $_SERVER['HTTP_USER_AGENT']

2

then execute serialize and pwg_db_real_escape_string functions respectively

3

look at function(pwg_db_real_escape_string),it just prevent sql injection

function pwg_db_real_escape_string($s)
{
  return mysql_real_escape_string($s);
}

then we register a useryyds\yyds

4

then we click logout

5

then we just post like this,It is best to send more packages

6

url:http://test.y4tacker.top/identification.php
User-Agent:"><script>alert(`Hacked By Y4tacker`)</script><"
POST:
username=yyds&password=yyds&redirect=%2F&login=submit

Next, after the system administrator has logged in,and visit http://xxx/admin.php?page=user_activity
7

and look it

8

@ajakk
Copy link

ajakk commented Feb 10, 2022

Where's the fix?

gentoo-bot pushed a commit to gentoo/gentoo that referenced this issue Feb 20, 2022
Piwigo/Piwigo#1582 mentions all versions
<=12.1.0 have a XSS vulnerability

Bug: https://bugs.gentoo.org/828581
Package-Manager: Portage-3.0.30, Repoman-3.0.3
Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants