CVE-2024-43018 PoC — Piwigo 安全漏洞

来源

关联漏洞

介绍

# CVE-2024-43018
- [x] Assign an ID
- [ ] Be officially populated in CVE - Mitre

## Index
- [Description](#description)
- [Technologies used](#technologies-used)
- [Source and Sink](#source-and-sink)
- [How to execute it](#how-to-execute-it)
- [Fix](#fix)
- [Authors](#authors)

## Description
While investigating for the thesis https://hdl.handle.net/10316/118126 and https://hdl.handle.net/10316/118059 a new vulnerability on Piwigo application was discovered. This vulnerability comes from the lack of sanitization of some parameters on a filtered search from the following point, HOST/admin.php?page=user_list. <br>
More specifically, Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file include\ws_functions\pwg.users.php and this same function that is called by ws.php file at some point can be used for searching users in advanced way in /admin.php?page=user_list. This could lead to several consequences like "Code Execution" and "Information Disclosure" by manipulate the SQL queries, so these parameters must sanitized before used in any SQL queries. This affect version 12.2.0 and might affect future versions, since there is a reported vulnerability similar to this in version 13.8.0.

## Technologies used
1. [Burp Suite](https://portswigger.net)
1. [Firefox](https://www.firefox.com/pt-PT)

## Source and Sink
The mentioned parameters (max_level and min_register) are grouped in a variable that will use them in the execution of a SQL query:
![Screenshot_38](https://github.com/user-attachments/assets/53c6f282-c3bf-4966-a7f4-8a81fa4ee075)
![Screenshot_39](https://github.com/user-attachments/assets/b045accf-e1a0-42cc-b617-8e3ee245f918) 

## How to execute it
First enter in HOST/admin.php?page=user_list page
![Screenshot_34](https://github.com/user-attachments/assets/69d9e13e-9afe-4d63-b24d-227beddab09d)

Following the request sent through Firefox, we can see that exist several parameters

![Screenshot_35](https://github.com/user-attachments/assets/ffac38bc-1ef7-4035-822f-3f42f83656f2)

If we manipulate the parameters 'max_level' and 'min_register' in order to include a quote and then resend the request, a MYSQL error will appear (even showing the SQL query executed), which proves the existence of a SQL Injection vulnerability in both fields.

'max_level'
![Screenshot_36](https://github.com/user-attachments/assets/bdab34f4-93e9-461f-99c7-d10f7c1f5359)

'min_register'
![Screenshot_37](https://github.com/user-attachments/assets/5706f68f-6c0d-445e-bf64-bb085f2c56ce)

## Fix
As of today, the developers putted in place a fix for this problem which is simply a white list approach, as mentioned in: https://github.com/Piwigo/Piwigo/issues/2197. This of course is not the best solution, as would be better to add parameterized queries, but since is not possible (due to logistical concerns mentioned by the developers) is advisable to use a Web Application Firewall in order to add an extra layer of protection.

## Notes important to read
- To follow all the discussion with the developers and thoughts shared access the original issue: https://github.com/Piwigo/Piwigo/issues/2197
- This CVE will be published in the following page, when acepted by CVE - Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43018

## Authors:
- [João Silva](https://github.com/joaosilva21)
- [Inês Marçal](https://github.com/inesmarcal)

文件快照

 [4.0K]  /data/pocs/1c58207f9662ea0dbc3a3eb37ea820614265b645
└── [3.4K]  README.md

0 directories, 1 file

备注