Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross Site Scripting #575

Shinkurt opened this issue Dec 18, 2016 · 3 comments


None yet
2 participants
Copy link

commented Dec 18, 2016

In Piwigo/admin/plugin.php

32: $sections = explode('/', $_GET['section']); 
59: $filename = PHPWG_PLUGINS_PATH . implode('/', $sections); 
66: die ('Missing file ' . $filename); 

As you can see a user-controlled input $_GET['section'] ($filename) is being sent to die() - printing out without no sanitization, this could result in cross-site scripting because die() prints out content just like echo() before exit.

Fix: do htmlentities($filename);


This comment has been minimized.

Copy link

commented Dec 20, 2016

earlier in this file, you can find:


So only Piwigo administrators can exploit this "security issue". Is that really a problem?


This comment has been minimized.

Copy link

commented Dec 20, 2016

should be. because attacker would only need to give the admin a malicious xss link, and when authorized admin visits it, check_status(ACCESS_ADMINISTRATOR); will return to true. so yes it is as dangerous.

@plegall plegall closed this in 7df3830 Dec 24, 2016


This comment has been minimized.

Copy link

commented Dec 30, 2016

Use CVE-2016-10083 for this.

plegall added a commit that referenced this issue Jan 1, 2017

@plegall plegall self-assigned this Jan 1, 2017

@plegall plegall added the Type: Bug label Jan 1, 2017

@plegall plegall added this to the 2.8.5 milestone Jan 1, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.