Bug Report: Stored cross site scripting(XSS) in virtual_name parameter of admin.php

[Akityo]

# Steps to reproduce:

1. Login to site as administrator;

2. create a new album

3. enter the payload ">
   payload has been base64encode "Ij48aW1nIHNyYz1hIG9uZXJyb3I9Y29uZmlybSgxKT4="
   

4. now you can see this script execute everywhere

Evironment:

• Windows XP Professional

• Apache

• MySQL

• PHP 5.4.45

discovered by: topsec(lizhiqiang)

[plegall]

It's not a bug, it's a feature : administrators can use HTML (thus javascript) in photos/albums title.

[Akityo]

CVE-2017-9836 has been assigned for this issue. Acually it's a bug , I've never hear about that Albums title needed to execute javascript. And it may cause lot of problems ,hope you can fix it . Sincerely

[flop25]

"I've never hear about that Albums title needed to execute javascript" well you can easily think about a script you need to activate on some albums display/click etc
"it may cause lot of problems" You can also produce such CVE for many text fields in many CMS. For instance you can also for the Description of pictures.
Furthermore you have to be logged as administrator which means you can do many things much worst as you have already experienced, but also uploading infected files, changing the layout, adding scripts anywhere...
Finally I should add that publicly disclosing though github potential vulnerabilities is not a responsible attitude. There is a contact form on our website and you can send to team at piwigo.org
But still thank you for the reports

[plegall]

It would be a security issue if "anybody" could inject javascript, but that's absolutely not the case here.

[Akityo]

@flop25 @plegall
firstly i'am sorry for post vulnerabilities to an open issues ,next time i will contact with email.
secondly i'am still confused about this issue
#667
It's also a cross side scripting in an admininistrator page , but you guys also fix this bug in 2.9.1
is'n those are the same problem ? Stored XSS isn't harmful than reflected XSS ?

[Akityo]

Hi plegall & flop25
May I publicly disclosing exploit to www.exploit-db.com ? If there are no fix plan comming.

[plegall]

@Akityo issue #667 is not the same to me. In #667 the problem is that you can simply give a forged link to a Piwigo admin and hope (s)he will clink the link. On this case, exploiting the "security issue" is much more complex than clicking a link.

Before publishing to any "exploit" website, let's discuss about the "potential danger". If you can prove me it's easy to exploit, we will work on it.

[flop25]

@plegall what we could do, is to avoid the script execution on the admin part, since it could be annoying and have side effects to execute a js made for the public side on the admin side

[Akityo]

@plegall Hi im back , LOL
"it's a feature : administrators can use HTML (thus javascript) in photos/albums title."
I was think about that ,if you want administrators use javascript in photos/albums title,
maybe you can add an options menu when creating a title.
Is much more security than execute any javascript.
because there a "BOOM" in back-stage, i mean Local Files Editor.

For example one day , hacker found a normal-user Cross-Site Scripting
a document.cookie could get system shell.
that's a high level risk to normal user.
that's why XSS is High-risk vulnerabilities

[fgeek]

I don't understand why it would be a functionality to add JavaScript to the album name, but this is not a vulnerability if it is a functionality and if there is no CSRF security issue. CVE should be rejected.