New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug Report: Stored cross site scripting(XSS) in virtual_name parameter of admin.php #716
Comments
It's not a bug, it's a feature : administrators can use HTML (thus javascript) in photos/albums title. |
CVE-2017-9836 has been assigned for this issue. Acually it's a bug , I've never hear about that Albums title needed to execute javascript. And it may cause lot of problems ,hope you can fix it . Sincerely |
"I've never hear about that Albums title needed to execute javascript" well you can easily think about a script you need to activate on some albums display/click etc |
It would be a security issue if "anybody" could inject javascript, but that's absolutely not the case here. |
@flop25 @plegall |
Hi plegall & flop25 |
@Akityo issue #667 is not the same to me. In #667 the problem is that you can simply give a forged link to a Piwigo admin and hope (s)he will clink the link. On this case, exploiting the "security issue" is much more complex than clicking a link. Before publishing to any "exploit" website, let's discuss about the "potential danger". If you can prove me it's easy to exploit, we will work on it. |
@plegall what we could do, is to avoid the script execution on the admin part, since it could be annoying and have side effects to execute a js made for the public side on the admin side |
@plegall Hi im back , LOL For example one day , hacker found a normal-user Cross-Site Scripting |
I don't understand why it would be a functionality to add JavaScript to the album name, but this is not a vulnerability if it is a functionality and if there is no CSRF security issue. CVE should be rejected. |
# Steps to reproduce:
Login to site as administrator;
create a new album
payload has been base64encode "Ij48aW1nIHNyYz1hIG9uZXJyb3I9Y29uZmlybSgxKT4="
Evironment:
Windows XP Professional
Apache
MySQL
PHP 5.4.45
discovered by: topsec(lizhiqiang)
The text was updated successfully, but these errors were encountered: