Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug Report: Stored cross site scripting(XSS) in virtual_name parameter of admin.php #716

Closed
Akityo opened this issue Jun 23, 2017 · 10 comments

Comments

Projects
None yet
4 participants
@Akityo
Copy link

commented Jun 23, 2017

# Steps to reproduce:

  1. Login to site as administrator;

  2. create a new album

image
image

  1. enter the payload ">
    payload has been base64encode "Ij48aW1nIHNyYz1hIG9uZXJyb3I9Y29uZmlybSgxKT4="
    image

image

  1. now you can see this script execute everywhere

image

Evironment:

  • Windows XP Professional

  • Apache

  • MySQL

  • PHP 5.4.45

discovered by: topsec(lizhiqiang)

@plegall

This comment has been minimized.

Copy link
Member

commented Jun 26, 2017

It's not a bug, it's a feature : administrators can use HTML (thus javascript) in photos/albums title.

@plegall plegall closed this Jun 26, 2017

@Akityo

This comment has been minimized.

Copy link
Author

commented Jun 26, 2017

CVE-2017-9836 has been assigned for this issue. Acually it's a bug , I've never hear about that Albums title needed to execute javascript. And it may cause lot of problems ,hope you can fix it . Sincerely

@flop25

This comment has been minimized.

Copy link
Member

commented Jun 26, 2017

"I've never hear about that Albums title needed to execute javascript" well you can easily think about a script you need to activate on some albums display/click etc
"it may cause lot of problems" You can also produce such CVE for many text fields in many CMS. For instance you can also for the Description of pictures.
Furthermore you have to be logged as administrator which means you can do many things much worst as you have already experienced, but also uploading infected files, changing the layout, adding scripts anywhere...
Finally I should add that publicly disclosing though github potential vulnerabilities is not a responsible attitude. There is a contact form on our website and you can send to team at piwigo.org
But still thank you for the reports

@plegall

This comment has been minimized.

Copy link
Member

commented Jun 26, 2017

It would be a security issue if "anybody" could inject javascript, but that's absolutely not the case here.

@plegall plegall reopened this Jun 26, 2017

@Akityo

This comment has been minimized.

Copy link
Author

commented Jun 26, 2017

@flop25 @plegall
firstly i'am sorry for post vulnerabilities to an open issues ,next time i will contact with email.
secondly i'am still confused about this issue
#667
It's also a cross side scripting in an admininistrator page , but you guys also fix this bug in 2.9.1
is'n those are the same problem ? Stored XSS isn't harmful than reflected XSS ?

@Akityo

This comment has been minimized.

Copy link
Author

commented Jun 27, 2017

Hi plegall & flop25
May I publicly disclosing exploit to www.exploit-db.com ? If there are no fix plan comming.

@plegall

This comment has been minimized.

Copy link
Member

commented Jun 27, 2017

@Akityo issue #667 is not the same to me. In #667 the problem is that you can simply give a forged link to a Piwigo admin and hope (s)he will clink the link. On this case, exploiting the "security issue" is much more complex than clicking a link.

Before publishing to any "exploit" website, let's discuss about the "potential danger". If you can prove me it's easy to exploit, we will work on it.

@flop25

This comment has been minimized.

Copy link
Member

commented Jun 27, 2017

@plegall what we could do, is to avoid the script execution on the admin part, since it could be annoying and have side effects to execute a js made for the public side on the admin side

@Akityo

This comment has been minimized.

Copy link
Author

commented Jun 28, 2017

@plegall Hi im back , LOL
"it's a feature : administrators can use HTML (thus javascript) in photos/albums title."
I was think about that ,if you want administrators use javascript in photos/albums title,
maybe you can add an options menu when creating a title.
Is much more security than execute any javascript.
because there a "BOOM" in back-stage, i mean Local Files Editor.

For example one day , hacker found a normal-user Cross-Site Scripting
a document.cookie could get system shell.
that's a high level risk to normal user.
that's why XSS is High-risk vulnerabilities

@fgeek

This comment has been minimized.

Copy link

commented Oct 7, 2017

I don't understand why it would be a functionality to add JavaScript to the album name, but this is not a vulnerability if it is a functionality and if there is no CSRF security issue. CVE should be rejected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.