Security fixes are usually announced in the release notes, like in https://piwigo.org/release-11.5.0 or https://piwigo.org/release-11.4.0 ; find releases on the releases page. CVE numbers aren't mentioned though. Individual CVEs may reference GitHub issues that then are closed. But that may also had been opened by irresponsible people, all opening the issue and closing it and requesting a CVE, who like to spread their name associated with "security researcher" without having coordinated things with the code maintainers.

Maybe maintainers (@plg?) could shed some light whether keeping a list of fixed CVEs (a few days after release) / security advisories is planned, which would be good.

To assess the vulnerability type of a CVE you can check with https://www.cvedetails.com/ or browse Piwigo there https://www.cvedetails.com/product/1786 … iwigo.html

Of the recent 3 Piwigo 12.2.0 CVEs (2 not in cvedetails yet) only one "works" without being logged in, that is obtaining phpinfo which can easily be mitigated by either removing that mentioned portion of code or forbidding the request in .htaccess:

RewriteCond %{REQUEST_URI} ^/piwigo/admin/maintenance_actions.php$ [NC,NV]
RewriteCond %{QUERY_STRING} action=phpinfo [NC,NV]
RewriteRule .* - [F,L]

Replace /piwigo with the actual directory of course.

Thanks from me too!

Important topic ... lurking...

Last edited by I_am_cats (2022-05-16 07:53:57)

I_am_cats wrote:

I also had to prepend "RewriteEngine on" to make this work:

Yes of course, I just implicitly assumed that was on anyway.

Code:

RewriteRule .* - [F,L]

Could you elaborate what exactly the last line does, and what the letters in square brackets mean?

If the conditions are met, the RewriteRule does not substitute the URI (any URI, regular expression .* ), the - means do nothing (as a rewrite is unnecessary when bailing out anyway), the "F|forbidden" flag tells to return the 403 Forbidden code, the "L|last" flag tells to stop all further processing of rules.
See https://httpd.apache.org/docs/current/r … flags.html

I_am_cats wrote:

I replaced [F,L] with [L] in the last line, which just results in an empty reply (code 200).

But that is just because you changed the source code to exit() as the rewrite rule now does nothing except breaking all processing of further rules, which may be worse than completely without if you had any. And your web server needlessly still has to run the Piwigo PHP scripts just to generate an empty page. If your Piwigo was updated and the source code overwritten you'd have to change the code again.

I prefer to not give potential hackers any sort of extra information.

That's not even security by obscurity, it doesn't hide anything at all and is useless. If an attacker knew it's a Piwigo system and threw the phpinfo URI at it to obtain system information, getting a 200 with empty page doesn't tell them less than a 403 status code.