Westpoint Security Advisory
---------------------------

Title:        Piwigo 2.0.5 - Cross-Site Scripting Vulnerability in comments.php
Risk Rating:  Medium
Platforms:    PHP (Windows and Unix)
Author:       Andrew Paterson <andrew@westpoint.ltd.uk>
Date:         28 October 2009
Advisory ID#: wp-09-0011
URL:          http://www.westpoint.ltd.uk/advisories/wp-09-0011.txt
CVE:          not requested


Overview
--------

Piwigo 2.0.5 contains a Cross-Site Scripting (XSS) flaw in comments.php .


Details
-------

http://{piwigo_location}/comments.php accepts user input via the "keyword",
"author" and "since" parameters, amongst others. When the "since" parameter is
included in a GET request but left blank, the script outputs an SQL error as
part of the resulting html. This error messages reproduces an SQL query
constructed using input from the "keyword" and "author" parameters. By passing
javascript to either of these parameters, a Cross-Site Scripting (XSS) exploit
is possible.

Examples which demonstrates this issue are:

http://{piwigo-2.0.5_location}/comments.php?keyword=<script>alert(/Vulnerable/.source)</script>&since=
http://{piwigo-2.0.5_location}/comments.php?author=<script>alert(/Vulnerable/.source)</script>&since=

For the "keyword" parameter, spaces and certain punctuation characters in the
injected text (semicolons and commas, for instance) are treated as delimiters
which cause the injected text to be broken into separate keywords. This may
make exploits including these characters more difficult.


Impact
------

This flaw allows a potential attacker to inject malicious JavaScript or HTML
code, which will run at the same trust level as the server. This may enable
them to steal session cookies, form details, or other information.


Timeline
--------

28 Oct 2009    Piwigo developers informed of the vulnerability
5 Nov 2009     Piwigo 2.0.6 released, with fix applied: http://piwigo.org/releases/2.0.6
5 Nov 2009 (21:43) Issue marked as fixed in version 2.0.6 on piwigo bugtracker:
               http://piwigo.org/bugs/bug_view_advanced_page.php?bug_id=1220&history=1#history
               (only visible to registered users).


			
Designed & Built by e3creative