Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File Inclusion Attack #572

Shinkurt opened this issue Dec 18, 2016 · 2 comments


None yet
2 participants
Copy link

commented Dec 18, 2016


There is a File Inclusion attack in the file Piwigo/admin/batch_manager.php

It does:

600: $page['tab'] = 'global';  // if(isset($_GET)) else ,
596: $page['tab'] = $_GET['mode']; 
768: include (PHPWG_ROOT_PATH . 'admin/batch_manager_' . $page['tab'] . '.php');  // batch_manager_global.php

The user controlled variable $page['tab'] is being sent to an include() without no checks. this will create file inclusion attacks possible. in older php versions, using a nullbyte attack, a code execution is also possible.

Fix: put an array of allowed strings.


@plegall plegall closed this in 9dd9295 Dec 19, 2016

@plegall plegall self-assigned this Dec 19, 2016

@plegall plegall added this to the 2.9.0beta2 milestone Dec 19, 2016

@plegall plegall added the Type: Bug label Dec 19, 2016


This comment has been minimized.

Copy link

commented Dec 19, 2016

use CVE-2016-10084


This comment has been minimized.

Copy link

commented Dec 20, 2016

A CVE? I admit I've never filled any. When a security issue is reported, the reporter sometimes gives us a CVE.

In my opinion this security issue is really minor because it requires to be administrator.

plegall added a commit that referenced this issue Jan 1, 2017

@plegall plegall modified the milestones: 2.8.5, 2.9.0beta2 Jan 1, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.