Piwigo Bugtracker

Viewing Issue Advanced Details Jump to Notes ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0002430 [Piwigo] security major always 2011.09.04 22:57 2011.10.04 14:50
Reporter lovasoa View Status public  
Assigned To plg
Priority normal Resolution fixed Platform
Status closed   OS
Projection none   OS Version
ETA none Fixed in Version 2.3.0 Product Version 2.2.5
  Target Version Product Build
Summary 0002430: Cross-site scripting
Description There are several xss security vulnerabilities in Piwigo.
Steps To Reproduce Go to http://piwigo.org/demo/index.php?/index.php?/%22%3E%3Cscript%3Ealert%2842%29%3C/script%3E%3C!-- [^]

(Tested in firefox only, but should work on other browsers)
Additional Information This could allow an attacker to steal the administrator credentials, and then do whatever he wants with the gallery.
Tags No tags attached.
browser Mozilla
Database engine and version
PHP version
Web server Apache 1.3.x
Attached Files

- Relationships

-  Notes
rvelices (developer)
2011.09.05 21:38
edited on: 2011.09.05 21:39

I confirm, but I think the example is due to a plugin theme switcher (correction language switcher) and not the core.

lovasoa - how would you steal the credentials ?

plg (manager)
2011.09.06 16:19

Well... languageSwitch is provided by default with Piwigo.

I also wonder how you can get any admin credentials with this technique. Yes you can annoy someone, but stealing admin password is another thing.

In plugins/language_switch/language_switch.inc.php, replace this:

         'url' => str_replace(
           add_url_params($url_starting, array('lang'=> $code))

with this:

        'url' => add_url_params(duplicate_index_url(), array('lang'=> $code)),

It works much better, exception on the homepage (if your home page is not the root of albums)
lovasoa (reporter)
2011.09.07 22:04

I think an attacker could exploit this bug by sending to an admin an url that includes a script replacing dynamically the login form by a fake one. The fake form would be submitted to http://imevil.org [^] instead of http://piwigo.org. [^]

And that's just an exemple of what we can do with an XSS in every page of piwigo.
That's why I think this bug should be corrected as soon as possible...
lovasoa (reporter)
2011.09.11 09:34

The script contained in the URL I gave in the first post was blocked by the anti-XSS filter that is present in all recent WebKit browsers. Here is a new URL that should work in more browsers: http://piwigo.org/demo/index.php?/index.php?*/)%3C/script%3E%3C!--/%22%3E%3Cscript%3Ealert(42/* [^]

It would be really cool if you could correct that bug...
lovasoa (reporter)
2011.09.17 20:39

Is anyone interested in solving this issue?

I wrote an exploit that uses this bug to extract the user's password, if it has been pre-filled by the browser (if the user clicked "remember my password" in his browser during a previous connection). Works on Webkit + Gecko
It's here :
http://piwigo.org/demo/index.php?/index.php?*/)%3C/script%3E%3C!--/%22%3E%3Cscript%3Eeval(decodeURIComponent(%2F%252A%252A%252FsetTimeout(%2527alert(document%252EgetElementById(%2522password%2522)%252Evalue)%2527,3000)%252F%2F)/* [^]
plg (manager)
2011.10.04 14:40

We have the same problem with the "edit" button on a PWG Stuffs block.
svn (reporter)
2011.10.04 14:48

[Subversion] r12342 by plg on trunk

-----[Subversion commit log]----------------------------------------------------
bug 2430 fixed: prevents from cross site scripting, the URL is cleanly rewritten
plg (manager)
2011.10.04 14:49

I mark this bug has fixed because it's fixed in the Language Switch plugin, which is provided by default, and I notify P@t for fixing it on PWG Stuffs.

- Issue History
Date Modified Username Field Change
2011.09.04 22:57 lovasoa New Issue
2011.09.04 22:57 lovasoa browser => Mozilla
2011.09.04 22:57 lovasoa Web server => Apache 1.3.x
2011.09.05 21:38 rvelices Note Added: 0005469
2011.09.05 21:39 rvelices Note Edited: 0005469
2011.09.06 16:19 plg Note Added: 0005471
2011.09.07 22:04 lovasoa Note Added: 0005485
2011.09.11 09:34 lovasoa Note Added: 0005509
2011.09.17 20:39 lovasoa Note Added: 0005536
2011.10.04 14:40 plg Note Added: 0005662
2011.10.04 14:48 svn Checkin
2011.10.04 14:48 svn Note Added: 0005663
2011.10.04 14:49 plg Note Added: 0005664
2011.10.04 14:50 plg Assigned To => plg
2011.10.04 14:50 plg Status new => closed
2011.10.04 14:50 plg Resolution open => fixed
2011.10.04 14:50 plg Fixed in Version => 2.3.0

Mantis 1.1.6[^]
Copyright © 2000 - 2008 Mantis Group
Powered by Mantis Bugtracker