CVE-2023-34626: SQL Injection in the "Users" function of piwigo · Issue #1924 · Piwigo/Piwigo

Access the ‘Users’ function and use the filter function

Observe the request on Burp Suite

Manipulate the ‘order’ or 'exclude[]' parameter by adding a single quote, and an error in MYSQL shows up, proving the existence of SQL injection

We can try to retrieve all the databases name with the error-based payload id AND (SELECT 2690 FROM(SELECT COUNT(),CONCAT(0x716b707671,(SELECT MID((IFNULL(CAST(schema_name AS NCHAR),0x20)),1,51) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 0,1),0x7162787071,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) , just increasing the LIMIT value to enumerate all the databases name

Analyze the vulnerability from the source code, locate the ws_users_getList() function (/piwigo/include/ws_functions/pwg.users.php), notice that ‘order’ was concat directly after the ‘ORDER BY’ clause without any kind of input sanitization. The same case happens for
the 'exclude[]' parameter

This vulnerability affects the latest version up to 13.7.0, and it is uncertain if other versions will be affected.