Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File Inclusion Attack #572

Closed
Shinkurt opened this issue Dec 18, 2016 · 2 comments

Comments

Projects
None yet
2 participants
@Shinkurt
Copy link

commented Dec 18, 2016

Hello,

There is a File Inclusion attack in the file Piwigo/admin/batch_manager.php

It does:

600: $page['tab'] = 'global';  // if(isset($_GET)) else ,
596: $page['tab'] = $_GET['mode']; 
768: include (PHPWG_ROOT_PATH . 'admin/batch_manager_' . $page['tab'] . '.php');  // batch_manager_global.php

The user controlled variable $page['tab'] is being sent to an include() without no checks. this will create file inclusion attacks possible. in older php versions, using a nullbyte attack, a code execution is also possible.

Fix: put an array of allowed strings.

Thanks,

@plegall plegall closed this in 9dd9295 Dec 19, 2016

@plegall plegall self-assigned this Dec 19, 2016

@plegall plegall added this to the 2.9.0beta2 milestone Dec 19, 2016

@plegall plegall added the Type: Bug label Dec 19, 2016

@Shinkurt

This comment has been minimized.

Copy link
Author

commented Dec 19, 2016

use CVE-2016-10084

@plegall

This comment has been minimized.

Copy link
Member

commented Dec 20, 2016

A CVE? I admit I've never filled any. When a security issue is reported, the reporter sometimes gives us a CVE.

In my opinion this security issue is really minor because it requires to be administrator.

plegall added a commit that referenced this issue Jan 1, 2017

@plegall plegall modified the milestones: 2.8.5, 2.9.0beta2 Jan 1, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.