@flop25 sorry for that and this one probably the last one bug report to piwigo :(
I just want CVE Assignment Team to know the details ,and they will verify this issue whether a bug or no't.
because there also an argument about a bug or no't a bug between Security researcher and Programmer.
In addition there is a infomation leak about system root path when requesting URL: http://piwigo.org/demo/feed.php?feed=*
check_input_parameter /home/sys/var/www/piwigo.org/demo/feed.php(64)
@Akityo You can request CVEs without publishing the details in public issue tracker. You can use https://cveform.mitre.org/ and reveal only the needed details. The CVE description can be updated after the CVE assigment if the issue is so critical that you don't want to reveal the info to MITRE before fix. If you need any help or more information feel free to contact me.
Proof-of-Concent
version:2.9.1section status
section commnets
Report By Topsec(Li Zhiqiang)
The text was updated successfully, but these errors were encountered: