Announcement

#1 2018-08-26 10:48:42

Neil Fitz
Member
2018-08-26
2

Problem with identification.php

Hello,

I was getting a 403 error whenever I try to log in to my gallery via identification.php. On contacting my host I was informed it was hitting their WAF. They provided this:
2018-08-25 18:10:55.867706 [NOTICE] [xxx.xxx.xxx.xxx:53750:HTTP2-51] mod_security rule [Id '77244780'] triggered!
[Sat Aug 25 18:10:55 2018] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_BASENAME' '@streq identification.php'] [id "77244780"] [rev "1"] [msg "IM360 WAF: Open redirect vulnerability in Piwigo 2.9 and probably prior versions (CVE-2017-9464)||MVN:identification.php||MV:identification.php||T:LITESPEED||PC:560"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2017-9464"]

Turning off mod_sec allows me to log in.
It looks like this vulnerability has been around a while (https://www.wizlynxgroup.com/security-r … X-2017-007) but if no one else is complaining maybe there is something strange with my setup (I just moved the site to a new host). It would be great if someone could confirm if this vulnerability has been fixed.
Thank you
Neil


Piwigo version: 2.9.4
PHP version: 5.6.37
MySQL version: 5.5.5-10.2.15-MariaDB-cll-lve

Offline

 

#2 2018-08-26 19:08:38

erAck
Piwigo Team
2015-09-06
300

Re: Problem with identification.php

That was fixed for Piwigo 2.9.1, see [Github] Piwigo issue #706 referenced from the page you mentioned.
As you are running Piwigo 2.9.4 it looks like your hoster's WAF rule catches only the 2.9 but does not check the micro version number.


Running Piwigo at https://erack.net/gallery/

Offline

 

#3 2018-08-28 10:46:55

Neil Fitz
Member
2018-08-26
2

Re: Problem with identification.php

Thanks for the clarification.
Cheers
Neil

Offline

 

#4 2019-10-18 14:08:46

Mahdi196
Member
2019-10-18
1

Re: Problem with identification.php

Hi there

At first Thanks a million for this great gallery script.
I solved this problem (Error 403 when logging on) with disabling Mod Security on my host.
But I dont know why this fantastic gallery script have problem with Mod Security!
I hope it solve with new updates.

Many Thanks

Offline

 

Board footer

Powered by FluxBB

github twitter facebook google+ newsletter Donate Piwigo.org © 2002-2019 · Contact