Piwigo Bugtracker

Piwigo bug tracker has moved to Github

This bugtracker is kept to provide history on old issues.

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002430Piwigosecuritypublic2011.09.04 22:572011.10.04 14:50
Assigned Toplg 
PlatformOSOS Version
Product Version2.2.5 
Target VersionFixed in Version2.3.0 
Summary0002430: Cross-site scripting
DescriptionThere are several xss security vulnerabilities in Piwigo.
Steps To ReproduceGo to http://piwigo.org/demo/index.php?/index.php?/%22%3E%3Cscript%3Ealert%2842%29%3C/script%3E%3C!-- [^]

(Tested in firefox only, but should work on other browsers)
Additional InformationThis could allow an attacker to steal the administrator credentials, and then do whatever he wants with the gallery.
TagsNo tags attached.
Database engine and version
PHP version
Web serverApache 1.3.x
Attached Files

- Relationships

-  Notes
rvelices (developer)
2011.09.05 21:38
edited on: 2011.09.05 21:39

I confirm, but I think the example is due to a plugin theme switcher (correction language switcher) and not the core.

lovasoa - how would you steal the credentials ?

plg (manager)
2011.09.06 16:19

Well... languageSwitch is provided by default with Piwigo.

I also wonder how you can get any admin credentials with this technique. Yes you can annoy someone, but stealing admin password is another thing.

In plugins/language_switch/language_switch.inc.php, replace this:

         'url' => str_replace(
           add_url_params($url_starting, array('lang'=> $code))

with this:

        'url' => add_url_params(duplicate_index_url(), array('lang'=> $code)),

It works much better, exception on the homepage (if your home page is not the root of albums)
lovasoa (reporter)
2011.09.07 22:04

I think an attacker could exploit this bug by sending to an admin an url that includes a script replacing dynamically the login form by a fake one. The fake form would be submitted to http://imevil.org [^] instead of http://piwigo.org. [^]

And that's just an exemple of what we can do with an XSS in every page of piwigo.
That's why I think this bug should be corrected as soon as possible...
lovasoa (reporter)
2011.09.11 09:34

The script contained in the URL I gave in the first post was blocked by the anti-XSS filter that is present in all recent WebKit browsers. Here is a new URL that should work in more browsers: http://piwigo.org/demo/index.php?/index.php?*/ [^])%3C/script%3E%3C!--/%22%3E%3Cscript%3Ealert(42/*

It would be really cool if you could correct that bug...
lovasoa (reporter)
2011.09.17 20:39

Is anyone interested in solving this issue?

I wrote an exploit that uses this bug to extract the user's password, if it has been pre-filled by the browser (if the user clicked "remember my password" in his browser during a previous connection). Works on Webkit + Gecko
It's here :
http://piwigo.org/demo/index.php?/index.php?*/ [^])%3C/script%3E%3C!--/%22%3E%3Cscript%3Eeval(decodeURIComponent(%2F%252A%252A%252FsetTimeout(%2527alert(document%252EgetElementById(%2522password%2522)%252Evalue)%2527,3000)%252F%2F)/*
plg (manager)
2011.10.04 14:40

We have the same problem with the "edit" button on a PWG Stuffs block.
svn (reporter)
2011.10.04 14:48

[Subversion] r12342 by plg on trunk

-----[Subversion commit log]----------------------------------------------------
bug 2430 fixed: prevents from cross site scripting, the URL is cleanly rewritten
plg (manager)
2011.10.04 14:49

I mark this bug has fixed because it's fixed in the Language Switch plugin, which is provided by default, and I notify P@t for fixing it on PWG Stuffs.

- Issue History
Date Modified Username Field Change
2011.09.04 22:57 lovasoa New Issue
2011.09.04 22:57 lovasoa browser => Mozilla
2011.09.04 22:57 lovasoa Web server => Apache 1.3.x
2011.09.05 21:38 rvelices Note Added: 0005469
2011.09.05 21:39 rvelices Note Edited: 0005469
2011.09.06 16:19 plg Note Added: 0005471
2011.09.07 22:04 lovasoa Note Added: 0005485
2011.09.11 09:34 lovasoa Note Added: 0005509
2011.09.17 20:39 lovasoa Note Added: 0005536
2011.10.04 14:40 plg Note Added: 0005662
2011.10.04 14:48 svn Checkin
2011.10.04 14:48 svn Note Added: 0005663
2011.10.04 14:49 plg Note Added: 0005664
2011.10.04 14:50 plg Assigned To => plg
2011.10.04 14:50 plg Status new => closed
2011.10.04 14:50 plg Resolution open => fixed
2011.10.04 14:50 plg Fixed in Version => 2.3.0

Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker