Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Piwigo v2.9.2 - SQL injection in administration panel #839

jorkro opened this Issue Feb 11, 2018 · 0 comments


None yet
2 participants
Copy link

jorkro commented Feb 11, 2018

An SQL injection has been discovered in the administration panel of Piwigo v2.9.2. The vulnerability allows remote attackers that are authenticated as administrator to inject SQL code into a query. This could result in full information disclosure.

The SQL injection vulnerability was found in admin/tags.php and is done by injecting SQL code in the 'tags' POST variable. This variable is only sanitized by addslashes() and is not encapsulated by quotes in the concatenated SQL string allowing the injection to work. Furthermore, the result set is part of the page output allowing information disclosure about other tables in the database.

The POST variables 'edit_list' and 'merge_list' are also vulnerable to this attack, however, no exploit exist to disclose information through these variables. A separate vulnerability report was made for 'edit_list' (CVE-2017-16893, issue #804).

The security risk of the vulnerability is estimated as low with a CVSS score of 3.8. Exploitation of the web vulnerability requires the attacker to be authenticated as administrator.

A PoC can be provided. I'm tracking this under CVE-2018-6883

@plegall plegall self-assigned this Feb 21, 2018

@plegall plegall added this to the 2.9.3 milestone Feb 21, 2018

@plegall plegall closed this in 02275fe Feb 21, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.