Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross Site Scripting #575

Closed
Shinkurt opened this issue Dec 18, 2016 · 3 comments
Closed

Cross Site Scripting #575

Shinkurt opened this issue Dec 18, 2016 · 3 comments

Comments

@Shinkurt
Copy link

In Piwigo/admin/plugin.php

32: $sections = explode('/', $_GET['section']); 
59: $filename = PHPWG_PLUGINS_PATH . implode('/', $sections); 
66: die ('Missing file ' . $filename); 

As you can see a user-controlled input $_GET['section'] ($filename) is being sent to die() - printing out without no sanitization, this could result in cross-site scripting because die() prints out content just like echo() before exit.

Fix: do htmlentities($filename);

@plegall
Copy link
Member

plegall commented Dec 20, 2016

earlier in this file, you can find:

check_status(ACCESS_ADMINISTRATOR);

So only Piwigo administrators can exploit this "security issue". Is that really a problem?

@Shinkurt
Copy link
Author

should be. because attacker would only need to give the admin a malicious xss link, and when authorized admin visits it, check_status(ACCESS_ADMINISTRATOR); will return to true. so yes it is as dangerous.

@Shinkurt
Copy link
Author

Use CVE-2016-10083 for this.

plegall added a commit that referenced this issue Jan 1, 2017
@plegall plegall self-assigned this Jan 1, 2017
@plegall plegall added this to the 2.8.5 milestone Jan 1, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants