New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug Report: Cross Site Scripting(XSS) in page parameter of admin.php #667
Comments
|
Do anyone confirm the issue?? |
|
Hello |
|
hi, @flop25
|
|
i couldn't execute anything |
|
hi, @flop25 result for IE, chrome, firefox, as follows:IE(execute javascript code)Firfox(not execute anything)chrome(not execute anything) |
|
CVE-2017-9452 has been assigned for this issue. Add it to commit message and ChangeLog file if/when you fix this issue. I do not think that CVE is needed if this was only in GitHub latest master package and not in any release (so maybe request it to be rejected). If needed I can also help verifying this issue. |
|
@ghi5107 Thank you. During the night, I also thought about this since from the code it appears that nothing is sanitized |


Steps to reproduce:
http://host/Piwigo-master/admin.php?page=cehny"><script>alert(1)</script>tcs7a
Evironment:
Win7
Xampp (php mysql apache)
Latest stable build(piwigo 2.9.0)
discovered by: ghi from Huawei WeiRan Labs
The text was updated successfully, but these errors were encountered: