Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug Report: Cross Site Scripting(XSS) in page parameter of admin.php #667

Closed
ghi5107 opened this issue May 4, 2017 · 7 comments

Comments

Projects
None yet
4 participants
@ghi5107
Copy link

commented May 4, 2017

Steps to reproduce:

  1. Login to site as administrator;
  2. Access following URL, browser will run any scripts posted to server, for example: alert(1) to prompt a dialog.
    http://host/Piwigo-master/admin.php?page=cehny"><script>alert(1)</script>tcs7a
    default

Evironment:

  • Win7

  • Xampp (php mysql apache)

  • Latest stable build(piwigo 2.9.0)

discovered by: ghi from Huawei WeiRan Labs

@ghi5107 ghi5107 changed the title Cross Site Scripting(XSS) in page parameter of admin.php Bug Report: Cross Site Scripting(XSS) in page parameter of admin.php May 9, 2017

@ghi5107

This comment has been minimized.

Copy link
Author

commented Jun 2, 2017

Do anyone confirm the issue??
I think xss vulnerabiltiy is harmful to administrator, attacker may steal information by enticing a administator to open a crafted web page.

@flop25

This comment has been minimized.

Copy link
Member

commented Jun 6, 2017

Hello
you don't have a correct version of Piwigo. This has been sanitized
https://github.com/Piwigo/Piwigo/blob/master/admin.php#L114

@ghi5107

This comment has been minimized.

Copy link
Author

commented Jun 7, 2017

hi, @flop25
But today, i download sourcecode from https://codeload.github.com/Piwigo/Piwigo/zip/master , and visit http://host/Piwigo-master/admin.php?page=cehny"><script>alert(1)</script>tcs7a, this issue still exist.
please confirm the issue, thank you.
reponse html (injected javascript code) as follow:

<a href="./admin.php?page=cehny"><script>alert(1)</script>tcs7a&amp;change_theme=1" class="tiptip" title="Switch to clear or dark colors for administration">

@flop25

This comment has been minimized.

Copy link
Member

commented Jun 7, 2017

i couldn't execute anything
2017-06-07_05-10-49
2017-06-07_05-07-57
but seeing https://github.com/Piwigo/Piwigo/blob/master/admin.php#L108 doesn't make me comfortable
need some backup here ^^ @plegall @modus75

@ghi5107

This comment has been minimized.

Copy link
Author

commented Jun 7, 2017

hi, @flop25
I think you could not execute anything because page parameter has been sanitized by your browser, not Piwigo. I test the issue by Internet explorer 11.

result for IE, chrome, firefox, as follows:

IE(execute javascript code)

ie

Firfox(not execute anything)

firfox

chrome(not execute anything)

chrome

@fgeek

This comment has been minimized.

Copy link

commented Jun 7, 2017

CVE-2017-9452 has been assigned for this issue. Add it to commit message and ChangeLog file if/when you fix this issue. I do not think that CVE is needed if this was only in GitHub latest master package and not in any release (so maybe request it to be rejected). If needed I can also help verifying this issue.

@flop25

This comment has been minimized.

Copy link
Member

commented Jun 7, 2017

@ghi5107 Thank you. During the night, I also thought about this since from the code it appears that nothing is sanitized

@plegall plegall self-assigned this Jun 12, 2017

plegall added a commit that referenced this issue Jun 12, 2017

(cp 4310fe7) fixes #667, check $_GET['page'] to avoid XSS
This can be an issue only on Internet Explorer

@plegall plegall closed this in 4310fe7 Jun 12, 2017

@plegall plegall added this to the 2.9.1 milestone Jun 12, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.