New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross Site Scripting in image upload. #600
Comments
|
Hi @boogyman2 can you please send me an email with more details? "plg" /at/ "piwigo.org" |
|
Hello |
|
up? |
|
you up ? @plegall |
|
I admit I don't really like to modify the original filename. If you use the web upload form, you execute the javascript in file name, but it is not "stored", so it's not a real problem. |
|
Maybe it's enough to check during upload that the given filename does not
contain < > (invalid for both Windows /Linux)
…On Jan 27, 2017 11:16, "Pierrick Le Gall" ***@***.***> wrote:
I admit I don't really like to modify the original filename.
If you use the web upload form, you execute the javascript in file name,
but it is not "stored", so it's not a real problem.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#600 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AJRc9mK6jeUSNHb2DCdf3_dQT18Gdon7ks5rWcPagaJpZM4LaTPq>
.
|
|
"<" is valid in filename on Linux :-/ One thing really nice on the upload form, compared to FTP synchronization, is that you have no constraint on filename. @boogyman2 The current solution, using htmlentities before registering in database, prevents from stored XSS. |
|
@plegall okey pleg,am not much of a development guy,so i'll leave choice of choosing the better solution to you :) . Can you grab me a CVE for this? |
|
Usually, the reporter gives us the CVE, not the opposite :-) |
|
Use the CVE Id , CVE-2017-5608 |
Latest Version of piwigo is vulnerable to cross site scripting vulnerability in the image upload function,
The filename of image can be crafted with malicious payload,which in turn executes while viewing the image.
HTTP REQUEST:
POST /piwigo2/piwigo2/ws.php?method=pwg.images.upload&format=json HTTP/1.1
Host: x.x.x.x:xxxx
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://x.x.x.x:xxxx/piwigo2/piwigo2/admin.php?page=photos_add
Content-Length: 437474
Content-Type: multipart/form-data; boundary=---------------------------2133695097524014491600710750
Cookie: pwg_id=5bcim9rvd29i0grbe3qqg4qlk4; PHPSESSID=8e7766b7fc68cc81ee8cb8858dba1b1e; cid=1; wordpress_logged_in_8812ad623e46a1e5ebc36bb4a144d4be=admin%7C1484115709%7CSYNChB5ZsITQYFlPiW5bspgix97gGEwr05932gvtGtp%7Cda8b8a3479779d07c9d1759a52b8e52a7168da7170b66a093ff5ea93a09ec453
Connection: close
-----------------------------2133695097524014491600710750
Content-Disposition: form-data; name="name"
test
-----------------------------2133695097524014491600710750
Content-Disposition: form-data; name="chunk"
0
-----------------------------2133695097524014491600710750
Content-Disposition: form-data; name="chunks"
1
-----------------------------2133695097524014491600710750
Content-Disposition: form-data; name="category"
1
-----------------------------2133695097524014491600710750
Content-Disposition: form-data; name="level"
0
-----------------------------2133695097524014491600710750
Content-Disposition: form-data; name="pwg_token"
d0cc011709eb9b873188071ab872ebe7
-----------------------------2133695097524014491600710750
Content-Disposition: form-data; name="file"; filename="payloadhere.png"
Content-Type: image/png
Malicious script can be passed in the payloadhere section
The text was updated successfully, but these errors were encountered: