Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug Report: Cross Site Scripting(XSS) in page parameter of admin.php #667

Closed
ghi5107 opened this issue May 4, 2017 · 7 comments
Closed

Bug Report: Cross Site Scripting(XSS) in page parameter of admin.php #667

ghi5107 opened this issue May 4, 2017 · 7 comments
Assignees
@plegall
Labels
Section: Security
Milestone
2.9.1

Comments

@ghi5107
Copy link

ghi5107 commented May 4, 2017
edited
Loading

Steps to reproduce:

  1. Login to site as administrator;
  2. Access following URL, browser will run any scripts posted to server, for example: alert(1) to prompt a dialog.
    http://host/Piwigo-master/admin.php?page=cehny"><script>alert(1)</script>tcs7a
    default

Evironment:

  • Win7

  • Xampp (php mysql apache)

  • Latest stable build(piwigo 2.9.0)

discovered by: ghi from Huawei WeiRan Labs
@ghi5107 ghi5107 changed the title Cross Site Scripting(XSS) in page parameter of admin.php Bug Report: Cross Site Scripting(XSS) in page parameter of admin.php May 9, 2017
@ghi5107
Copy link
Author

ghi5107 commented Jun 2, 2017

Do anyone confirm the issue??
I think xss vulnerabiltiy is harmful to administrator, attacker may steal information by enticing a administator to open a crafted web page.

@flop25
Copy link
Member

flop25 commented Jun 6, 2017

Hello
you don't have a correct version of Piwigo. This has been sanitized
https://github.com/Piwigo/Piwigo/blob/master/admin.php#L114

@ghi5107
Copy link
Author

ghi5107 commented Jun 7, 2017

hi, @flop25
But today, i download sourcecode from https://codeload.github.com/Piwigo/Piwigo/zip/master , and visit http://host/Piwigo-master/admin.php?page=cehny"><script>alert(1)</script>tcs7a, this issue still exist.
please confirm the issue, thank you.
reponse html (injected javascript code) as follow:

<a href="./admin.php?page=cehny"><script>alert(1)</script>tcs7a&amp;change_theme=1" class="tiptip" title="Switch to clear or dark colors for administration">

@flop25
Copy link
Member

flop25 commented Jun 7, 2017
edited
Loading

i couldn't execute anything
2017-06-07_05-10-49
2017-06-07_05-07-57
but seeing https://github.com/Piwigo/Piwigo/blob/master/admin.php#L108 doesn't make me comfortable
need some backup here ^^ @plegall @modus75

@ghi5107
Copy link
Author

ghi5107 commented Jun 7, 2017

hi, @flop25
I think you could not execute anything because page parameter has been sanitized by your browser, not Piwigo. I test the issue by Internet explorer 11.

result for IE, chrome, firefox, as follows:

IE(execute javascript code)

ie

Firfox(not execute anything)

firfox

chrome(not execute anything)

chrome

@fgeek
Copy link

fgeek commented Jun 7, 2017

CVE-2017-9452 has been assigned for this issue. Add it to commit message and ChangeLog file if/when you fix this issue. I do not think that CVE is needed if this was only in GitHub latest master package and not in any release (so maybe request it to be rejected). If needed I can also help verifying this issue.

@flop25
Copy link
Member

flop25 commented Jun 7, 2017

@ghi5107 Thank you. During the night, I also thought about this since from the code it appears that nothing is sanitized

@plegall plegall self-assigned this Jun 12, 2017
plegall added a commit that referenced this issue Jun 12, 2017
@plegall
(cp 4310fe7) fixes #667, check $_GET['page'] to avoid XSS
1b22d08 
This can be an issue only on Internet Explorer
@plegall plegall added this to the 2.9.1 milestone Jun 12, 2017
@Akityo Akityo mentioned this issue Jun 26, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@plegall plegall

Labels
Section: Security
Projects
None yet
Milestone
2.9.1
Development

No branches or pull requests
4 participants
@fgeek @flop25 @plegall @ghi5107