Piwigo, an open-source photo gallery application, has been found to contain a reflected cross-site scripting (XSS) vulnerability in versions up to 14...beta3. This post covers the details of this vulnerability, including an example code snippet, links to the original references, and exploit details.

Vulnerability Details

The vulnerability is present in the /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here] page of Piwigo. It allows an attacker to inject malicious HTML and JavaScript code into the HTML page by exploiting the insecure injection of the plugin_id value from the URL. When a victim who is logged in as an administrator visits the malicious URL, the attacker's code is executed.

Here is a code snippet from the affected PHP file, showing the insecure injection of the plugin_id value:

<?php
echo '<div class="install_ok">'
  .'<p>'
  .[
    'install.status.ok' => '',
  ][$_GET['installstatus']]
  .sprintf(
    l10n('Plugin [%s] was successfully %s.'),
    '<strong>'.$_GET['plugin_id'].'</strong>',
    [
      'install.ok' => l10n('installed'),
      'update.ok' => l10n('updated'),
    ][$conf['action']]
  )
  .'</p>'
  .'</div>';
?>

Anyone who has access to a malicious URL can exploit this vulnerability. However, only logged-in administrators are affected since the vulnerable page is only accessible to them.

An attacker can craft a malicious URL containing a specially crafted plugin_id value. For instance

http://example.com/piwigo/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=<script>alert('XSS')</script>;

When a logged-in administrator visits this URL, the JavaScript payload <script>alert('XSS')</script> will be executed, causing an alert box with the message "XSS" to appear. A real-world attacker could use a more advanced payload to steal user credentials, redirect to a malicious website, or take control of the victim's session.

Mitigation

This vulnerability has been patched in Piwigo version 14...beta4. Upgrading to this version or later will fix the vulnerability.

References

- Piwigo GitHub Repository: https://github.com/Piwigo/Piwigo
- Piwigo 14...beta4 Release Notes: https://piwigo.org/releases/14...beta4
- Piwigo Security Report: https://github.com/Piwigo/Piwigo-security/blob/master/vulnerabilities/PSC-reflected-xss.md

Conclusion

It is crucial for administrators using Piwigo to ensure that their installations are up-to-date with the latest patches, in order to avoid potential security risks such as the reflected XSS vulnerability discussed in this post. By updating to version 14...beta4 or later, administrators can protect their application from this specific vulnerability and provide a safer environment for their users.

Timeline

Published on: 10/09/2023 15:15:10 UTC
Last modified on: 10/13/2023 18:42:49 UTC