Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I found that piwigo Front-End can trigger xss,it means when the system administrator can trigger xss after logging into the backend
Please see below for details of the analysis
at first,We found a global filter in include/common.inc.php
include/common.inc.php
it just handle GET, POST, COOKIE,then we can think whether it can be broken through other parameters
Then I found out that piwigo records the user's login and logout process
Take the exit process as an example(The login is also the same),in include/functions_user.inc.php
include/functions_user.inc.php
function logout_user() { global $conf; trigger_notify('user_logout', @$_SESSION['pwg_uid']); pwg_activity('user', @$_SESSION['pwg_uid'], 'logout'); $_SESSION = array(); session_unset(); session_destroy(); setcookie(session_name(),'',0, ini_get('session.cookie_path'), ini_get('session.cookie_domain') ); setcookie($conf['remember_me_name'], '', 0, cookie_path(),ini_get('session.cookie_domain')); }
After that, let's see what the pwg_activity function does in include/functions.inc.php
pwg_activity
include/functions.inc.php
in this function,There is no filter parameter $_SERVER['HTTP_USER_AGENT']
$_SERVER['HTTP_USER_AGENT']
then execute serialize and pwg_db_real_escape_string functions respectively
look at function(pwg_db_real_escape_string),it just prevent sql injection
function pwg_db_real_escape_string($s) { return mysql_real_escape_string($s); }
then we register a useryyds\yyds
yyds\yyds
then we click logout
logout
then we just post like this,It is best to send more packages
url:http://test.y4tacker.top/identification.php User-Agent:"><script>alert(`Hacked By Y4tacker`)</script><" POST: username=yyds&password=yyds&redirect=%2F&login=submit
Next, after the system administrator has logged in,and visit http://xxx/admin.php?page=user_activity
http://xxx/admin.php?page=user_activity
and look it
The text was updated successfully, but these errors were encountered:
Where's the fix?
Sorry, something went wrong.
www-apps/piwigo: clean old versions
99818f7
Piwigo/Piwigo#1582 mentions all versions <=12.1.0 have a XSS vulnerability Bug: https://bugs.gentoo.org/828581 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>
No branches or pull requests
I found that piwigo Front-End can trigger xss,it means when the system administrator can trigger xss after logging into the backend
Please see below for details of the analysis
at first,We found a global filter in
include/common.inc.phpit just handle GET, POST, COOKIE,then we can think whether it can be broken through other parameters
Then I found out that piwigo records the user's login and logout process
Take the exit process as an example(The login is also the same),in
include/functions_user.inc.phpAfter that, let's see what the
pwg_activityfunction does ininclude/functions.inc.phpin this function,There is no filter parameter
$_SERVER['HTTP_USER_AGENT']then execute serialize and pwg_db_real_escape_string functions respectively
look at function(pwg_db_real_escape_string),it just prevent sql injection
then we register a user
yyds\yydsthen we click
logoutthen we just post like this,It is best to send more packages
Next, after the system administrator has logged in,and visit

http://xxx/admin.php?page=user_activityand look it
The text was updated successfully, but these errors were encountered: