Greetings,
Piwigo has a number of identified security vulnerabilities:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=piwigo
Release notes don't mention addressing any:
https://piwigo.org/release-12.0.0
(1) How do I find out if a certain security vulnerability has been addressed?
https://github.com/Piwigo/Piwigo/search?q=cve
comes back with just a few references. Neither is on the list above. They all seem to be referring to PHP (Mailer) issues.
Is there a document that lists the state of handling the vulnerabilities - fixed, in-progress, fix-needed, etc.
(2) Which vulnerabilities are exploitable by anonymous, non-authenticated users?
Cheers,
tjk :)
Offline
Security fixes are usually announced in the release notes, like in https://piwigo.org/release-11.5.0 or https://piwigo.org/release-11.4.0 ; find releases on the releases page. CVE numbers aren't mentioned though. Individual CVEs may reference GitHub issues that then are closed. But that may also had been opened by irresponsible people, all opening the issue and closing it and requesting a CVE, who like to spread their name associated with "security researcher" without having coordinated things with the code maintainers.
Maybe maintainers (@plg?) could shed some light whether keeping a list of fixed CVEs (a few days after release) / security advisories is planned, which would be good.
To assess the vulnerability type of a CVE you can check with https://www.cvedetails.com/ or browse Piwigo there https://www.cvedetails.com/product/1786 … iwigo.html
Of the recent 3 Piwigo 12.2.0 CVEs (2 not in cvedetails yet) only one "works" without being logged in, that is obtaining phpinfo which can easily be mitigated by either removing that mentioned portion of code or forbidding the request in .htaccess:
RewriteCond %{REQUEST_URI} ^/piwigo/admin/maintenance_actions.php$ [NC,NV] RewriteCond %{QUERY_STRING} action=phpinfo [NC,NV] RewriteRule .* - [F,L]
Replace /piwigo with the actual directory of course.
Offline
Thank you erAck!
These are good references to have. I didn't visit https://piwigo.org/release-11.5.0 previously but now I see a Security bug fixed.
Also thank you for confirming on the phpinfo anonymous issue, and the workaround. Much appreciated.
Cheers,
tjk :)
Offline
Thanks from me too!
Important topic ... lurking...
Last edited by I_am_cats (2022-05-16 07:53:57)
Offline
erAck wrote:
obtaining phpinfo which can easily be mitigated by either removing that mentioned portion of code or forbidding the request in .htaccess:
Code:
RewriteCond %{REQUEST_URI} ^/piwigo/admin/maintenance_actions.php$ [NC,NV] RewriteCond %{QUERY_STRING} action=phpinfo [NC,NV] RewriteRule .* - [F,L]Replace /piwigo with the actual directory of course.
I also had to prepend "RewriteEngine on" to make this work:
RewriteEngine on RewriteCond %{REQUEST_URI} ^/admin/maintenance_actions.php$ [NC,NV] RewriteCond %{QUERY_STRING} action=phpinfo [NC,NV] RewriteRule .* - [F,L]
Could you elaborate what exactly the last line does, and what the letters in square brackets mean?
I am now getting a 403 forbidden for that query. Which is, of course, a good thing.
To make doubly sure, the appropriate line of code is right at the beginning of /admin/maintenance_actions.php:
switch ($action) { case 'phpinfo' : { //phpinfo(); //piwigo.org/forum/viewtopic.php?id=31959 exit(); }
Here I have commented it out already.
Last edited by I_am_cats (2022-05-25 07:06:03)
Offline
I_am_cats wrote:
I also had to prepend "RewriteEngine on" to make this work:
Yes of course, I just implicitly assumed that was on anyway.
Code:
RewriteRule .* - [F,L]Could you elaborate what exactly the last line does, and what the letters in square brackets mean?
If the conditions are met, the RewriteRule does not substitute the URI (any URI, regular expression .* ), the - means do nothing (as a rewrite is unnecessary when bailing out anyway), the "F|forbidden" flag tells to return the 403 Forbidden code, the "L|last" flag tells to stop all further processing of rules.
See https://httpd.apache.org/docs/current/r … flags.html
Offline
Edit: this is wrong! Don't do it!
[ Thank you! I replaced [F,L] with [L] in the last line, which just results in an empty reply (code 200).
I prefer to not give potential hackers any sort of extra information. ]
I looked up the NC and NV flags from the link.
Last edited by I_am_cats (2022-05-29 12:27:24)
Offline
I_am_cats wrote:
I replaced [F,L] with [L] in the last line, which just results in an empty reply (code 200).
But that is just because you changed the source code to exit() as the rewrite rule now does nothing except breaking all processing of further rules, which may be worse than completely without if you had any. And your web server needlessly still has to run the Piwigo PHP scripts just to generate an empty page. If your Piwigo was updated and the source code overwritten you'd have to change the code again.
I prefer to not give potential hackers any sort of extra information.
That's not even security by obscurity, it doesn't hide anything at all and is useless. If an attacker knew it's a Piwigo system and threw the phpinfo URI at it to obtain system information, getting a 200 with empty page doesn't tell them less than a 403 status code.
Offline
I stand corrected. That was nonsensical (removing the comment // from the phpinfo() action makes phpinfo show up again).
I added the F back in. 403 it is.
Offline