Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Piwigo v2.9.2 - SQL injection in administration panel #839
An SQL injection has been discovered in the administration panel of Piwigo v2.9.2. The vulnerability allows remote attackers that are authenticated as administrator to inject SQL code into a query. This could result in full information disclosure.
The SQL injection vulnerability was found in admin/tags.php and is done by injecting SQL code in the 'tags' POST variable. This variable is only sanitized by addslashes() and is not encapsulated by quotes in the concatenated SQL string allowing the injection to work. Furthermore, the result set is part of the page output allowing information disclosure about other tables in the database.
The POST variables 'edit_list' and 'merge_list' are also vulnerable to this attack, however, no exploit exist to disclose information through these variables. A separate vulnerability report was made for 'edit_list' (CVE-2017-16893, issue #804).
The security risk of the vulnerability is estimated as low with a CVSS score of 3.8. Exploitation of the web vulnerability requires the attacker to be authenticated as administrator.
A PoC can be provided. I'm tracking this under CVE-2018-6883