Westpoint Security Advisory --------------------------- Title: Piwigo 2.0.5 - Cross-Site Scripting Vulnerability in comments.php Risk Rating: Medium Platforms: PHP (Windows and Unix) Author: Andrew Paterson Date: 28 October 2009 Advisory ID#: wp-09-0011 URL: http://www.westpoint.ltd.uk/advisories/wp-09-0011.txt CVE: not requested Overview -------- Piwigo 2.0.5 contains a Cross-Site Scripting (XSS) flaw in comments.php . Details ------- http://{piwigo_location}/comments.php accepts user input via the "keyword", "author" and "since" parameters, amongst others. When the "since" parameter is included in a GET request but left blank, the script outputs an SQL error as part of the resulting html. This error messages reproduces an SQL query constructed using input from the "keyword" and "author" parameters. By passing javascript to either of these parameters, a Cross-Site Scripting (XSS) exploit is possible. Examples which demonstrates this issue are: http://{piwigo-2.0.5_location}/comments.php?keyword=&since= http://{piwigo-2.0.5_location}/comments.php?author=&since= For the "keyword" parameter, spaces and certain punctuation characters in the injected text (semicolons and commas, for instance) are treated as delimiters which cause the injected text to be broken into separate keywords. This may make exploits including these characters more difficult. Impact ------ This flaw allows a potential attacker to inject malicious JavaScript or HTML code, which will run at the same trust level as the server. This may enable them to steal session cookies, form details, or other information. Timeline -------- 28 Oct 2009 Piwigo developers informed of the vulnerability 5 Nov 2009 Piwigo 2.0.6 released, with fix applied: http://piwigo.org/releases/2.0.6 5 Nov 2009 (21:43) Issue marked as fixed in version 2.0.6 on piwigo bugtracker: http://piwigo.org/bugs/bug_view_advanced_page.php?bug_id=1220&history=1#history (only visible to registered users).