Hello,

I was getting a 403 error whenever I try to log in to my gallery via identification.php. On contacting my host I was informed it was hitting their WAF. They provided this:
2018-08-25 18:10:55.867706 [NOTICE] [xxx.xxx.xxx.xxx:53750:HTTP2-51] mod_security rule [Id '77244780'] triggered!
[Sat Aug 25 18:10:55 2018] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_BASENAME' '@streq identification.php'] [id "77244780"] [rev "1"] [msg "IM360 WAF: Open redirect vulnerability in Piwigo 2.9 and probably prior versions (CVE-2017-9464)||MVN:identification.php||MV:identification.php||T:LITESPEED||PC:560"] [severity "CRITICAL"] [tag "CWAF"] [tag "CVE-2017-9464"]

Turning off mod_sec allows me to log in.
It looks like this vulnerability has been around a while (https://www.wizlynxgroup.com/security-r … X-2017-007) but if no one else is complaining maybe there is something strange with my setup (I just moved the site to a new host). It would be great if someone could confirm if this vulnerability has been fixed.
Thank you
Neil


Piwigo version: 2.9.4
PHP version: 5.6.37
MySQL version: 5.5.5-10.2.15-MariaDB-cll-lve