Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File Inclusion Attack #572

Closed
Shinkurt opened this issue Dec 18, 2016 · 2 comments
Closed

File Inclusion Attack #572

Shinkurt opened this issue Dec 18, 2016 · 2 comments

Comments

@Shinkurt
Copy link

Hello,

There is a File Inclusion attack in the file Piwigo/admin/batch_manager.php

It does:

600: $page['tab'] = 'global';  // if(isset($_GET)) else ,
596: $page['tab'] = $_GET['mode']; 
768: include (PHPWG_ROOT_PATH . 'admin/batch_manager_' . $page['tab'] . '.php');  // batch_manager_global.php

The user controlled variable $page['tab'] is being sent to an include() without no checks. this will create file inclusion attacks possible. in older php versions, using a nullbyte attack, a code execution is also possible.

Fix: put an array of allowed strings.

Thanks,

@plegall plegall self-assigned this Dec 19, 2016
@plegall plegall added this to the 2.9.0beta2 milestone Dec 19, 2016
@Shinkurt
Copy link
Author

Shinkurt commented Dec 19, 2016

use CVE-2016-10084

@plegall
Copy link
Member

plegall commented Dec 20, 2016

A CVE? I admit I've never filled any. When a security issue is reported, the reporter sometimes gives us a CVE.

In my opinion this security issue is really minor because it requires to be administrator.

plegall added a commit that referenced this issue Jan 1, 2017
@plegall plegall modified the milestones: 2.8.5, 2.9.0beta2 Jan 1, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants