This bugtracker is kept to provide history on old issues.
|Anonymous | Login | Signup for a new account||2017.03.25 20:30 CET|
|My View | View Issues | Change Log | Roadmap|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0002430||Piwigo||security||public||2011.09.04 22:57||2011.10.04 14:50|
|Target Version||Fixed in Version||2.3.0|
|Summary||0002430: Cross-site scripting|
|Description||There are several xss security vulnerabilities in Piwigo.|
|Steps To Reproduce||Go to http://piwigo.org/demo/index.php?/index.php?/%22%3E%3Cscript%3Ealert%2842%29%3C/script%3E%3C!-- [^]|
(Tested in firefox only, but should work on other browsers)
|Additional Information||This could allow an attacker to steal the administrator credentials, and then do whatever he wants with the gallery.|
|Tags||No tags attached.|
|Database engine and version|
|Web server||Apache 1.3.x|
edited on: 2011.09.05 21:39
I confirm, but I think the example is due to a plugin theme switcher (correction language switcher) and not the core.
lovasoa - how would you steal the credentials ?
Well... languageSwitch is provided by default with Piwigo.
I also wonder how you can get any admin credentials with this technique. Yes you can annoy someone, but stealing admin password is another thing.
In plugins/language_switch/language_switch.inc.php, replace this:
'url' => str_replace(
add_url_params($url_starting, array('lang'=> $code))
'url' => add_url_params(duplicate_index_url(), array('lang'=> $code)),
It works much better, exception on the homepage (if your home page is not the root of albums)
I think an attacker could exploit this bug by sending to an admin an url that includes a script replacing dynamically the login form by a fake one. The fake form would be submitted to http://imevil.org [^] instead of http://piwigo.org. [^]
And that's just an exemple of what we can do with an XSS in every page of piwigo.
That's why I think this bug should be corrected as soon as possible...
The script contained in the URL I gave in the first post was blocked by the anti-XSS filter that is present in all recent WebKit browsers. Here is a new URL that should work in more browsers: http://piwigo.org/demo/index.php?/index.php?*/ [^])%3C/script%3E%3C!--/%22%3E%3Cscript%3Ealert(42/*
It would be really cool if you could correct that bug...
Is anyone interested in solving this issue?
I wrote an exploit that uses this bug to extract the user's password, if it has been pre-filled by the browser (if the user clicked "remember my password" in his browser during a previous connection). Works on Webkit + Gecko
It's here :
|We have the same problem with the "edit" button on a PWG Stuffs block.|
[Subversion] r12342 by plg on trunk
-----[Subversion commit log]----------------------------------------------------
bug 2430 fixed: prevents from cross site scripting, the URL is cleanly rewritten
|I mark this bug has fixed because it's fixed in the Language Switch plugin, which is provided by default, and I notify P@t for fixing it on PWG Stuffs.|
|2011.09.04 22:57||lovasoa||New Issue|
|2011.09.04 22:57||lovasoa||browser||=> Mozilla|
|2011.09.04 22:57||lovasoa||Web server||=> Apache 1.3.x|
|2011.09.05 21:38||rvelices||Note Added: 0005469|
|2011.09.05 21:39||rvelices||Note Edited: 0005469|
|2011.09.06 16:19||plg||Note Added: 0005471|
|2011.09.07 22:04||lovasoa||Note Added: 0005485|
|2011.09.11 09:34||lovasoa||Note Added: 0005509|
|2011.09.17 20:39||lovasoa||Note Added: 0005536|
|2011.10.04 14:40||plg||Note Added: 0005662|
|2011.10.04 14:48||svn||Note Added: 0005663|
|2011.10.04 14:49||plg||Note Added: 0005664|
|2011.10.04 14:50||plg||Assigned To||=> plg|
|2011.10.04 14:50||plg||Status||new => closed|
|2011.10.04 14:50||plg||Resolution||open => fixed|
|2011.10.04 14:50||plg||Fixed in Version||=> 2.3.0|
|Copyright © 2000 - 2017 MantisBT Team Contact|