Login Sign Up

CVE-2016-3735

8.1 HIGH
Authentication Bypass

📋 TL;DR

CVE-2016-3735 is a predictable password reset token vulnerability in Piwigo image gallery software. When certain criteria aren't met, Piwigo uses PHP's mt_rand() function to generate password reset tokens, which can be predicted by recovering the seed. This allows unauthenticated attackers to take over administrator accounts if they know the administrator's email address.

💻 Affected Systems

Products:
  • Piwigo
Versions: Versions before 2.8.1
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires password reset functionality to be accessible and attacker to know administrator email address.

📦 What is this software?

Piwigo by Piwigo

View all CVEs affecting Piwigo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of administrator account leading to full control of the Piwigo installation, potential data theft, and website defacement.

🟠

Likely Case

Administrator account takeover allowing unauthorized access to sensitive images, user data, and gallery management functions.

🟢

If Mitigated

No impact if patched or if password reset functionality is disabled for administrator accounts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires knowledge of administrator email address and ability to predict mt_rand() output based on seed recovery.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8.1 and later

Vendor Advisory: http://piwigo.org/release-2.8.1

Restart Required: No

Instructions:

1. Backup your Piwigo installation and database. 2. Download Piwigo 2.8.1 or later from piwigo.org. 3. Replace existing Piwigo files with new version. 4. Run the upgrade script if prompted. 5. Verify functionality.

🔧 Temporary Workarounds

Disable password reset for admin accounts

all

Remove or restrict access to password reset functionality for administrator accounts

Use external authentication

all

Implement external authentication system that bypasses Piwigo's password reset mechanism

🧯 If You Can't Patch

  • Restrict access to password reset functionality using web server rules or firewall
  • Implement rate limiting on password reset requests to reduce brute force effectiveness

🔍 How to Verify

Check if Vulnerable:

Check Piwigo version in admin panel or by examining piwigo/include/constants.php file for version number

Check Version:

grep 'PHPWG_VERSION' piwigo/include/constants.php

Verify Fix Applied:

Verify version is 2.8.1 or later and check that password reset tokens are generated using cryptographically secure methods

📡 Detection & Monitoring

Log Indicators:

  • Multiple password reset requests for administrator accounts
  • Unusual password reset success events

Network Indicators:

  • Unusual patterns of password reset requests to /password.php or similar endpoints

SIEM Query:

source="web_logs" AND (url="*password*" OR url="*lost*password*") AND user="admin" AND count > threshold

📊 Metadata

CVE ID: CVE-2016-3735
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-335
Published: January 28, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-3735, you might also want to check these:

CVE-2023-4472 9.8

CVE-2023-4472 is a critical authentication bypass vulnerability in Objectplanet Opinio survey softwa...

Same vulnerability type (CWE-335)
CVE-2024-36048 9.8

This vulnerability in Qt Network Authorization's QAbstractOAuth uses only system time to seed the ps...

Same vulnerability type (CWE-335)
CVE-2024-27632 8.8

This vulnerability in GNU Savane allows remote attackers to escalate privileges by manipulating the ...

Same vulnerability type (CWE-335)