CVE-2017-9426 – CVE-2017-9426 is a critical SQL injection vulne... (How to Fix)

Q: What is the severity of CVE-2017-9426?

CVE-2017-9426 has a CVSS score of 9.8 (CRITICAL). CVE-2017-9426 is a critical SQL injection vulnerability in the Facetag extension for Piwigo. It allows attackers to execute arbitrary SQL commands via the imageId parameter in specific actions, potentially compromising the entire database. Any Piwigo installation using Facetag extension version 0.0.3 is affected.

📋 TL;DR

CVE-2017-9426 is a critical SQL injection vulnerability in the Facetag extension for Piwigo. It allows attackers to execute arbitrary SQL commands via the imageId parameter in specific actions, potentially compromising the entire database. Any Piwigo installation using Facetag extension version 0.0.3 is affected.

💻 Affected Systems

Products:

Piwigo Facetag Extension

Versions: 0.0.3

Operating Systems: All platforms running Piwigo

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Piwigo installations with the Facetag extension installed. The vulnerability is in ws.php file within the extension.

📦 What is this software?

Facetag by Facetag Project

View all CVEs affecting Facetag →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, privilege escalation, and potential remote code execution on the underlying server.

🟠

Likely Case

Database information disclosure, including user credentials, sensitive content, and potential administrative access to the Piwigo installation.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions, though SQL injection could still expose some data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public proof-of-concept exploits exist, including detailed write-ups and demonstration videos. Exploitation requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

1. Remove the Facetag extension completely from your Piwigo installation. 2. Delete the facetag directory from piwigo/plugins/. 3. Consider using alternative tagging extensions that are maintained and secure.

🔧 Temporary Workarounds

Disable Facetag Extension

linux

Temporarily disable the vulnerable extension while maintaining Piwigo functionality

mv /path/to/piwigo/plugins/facetag /path/to/piwigo/plugins/facetag.disabled

Input Validation Filter

all

Add input validation to ws.php to sanitize imageId parameter

Edit ws.php and add: if(!is_numeric($_POST['imageId'])) { die('Invalid input'); }

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns targeting the facetag.changeTag and facetag.listTags actions
Restrict database user permissions to read-only for the Piwigo application database

🔍 How to Verify

Check if Vulnerable:

Check if /path/to/piwigo/plugins/facetag/ws.php exists and contains version 0.0.3 in file headers or extension metadata

Check Version:

grep -r 'version.*0.0.3' /path/to/piwigo/plugins/facetag/

Verify Fix Applied:

Confirm facetag directory is removed or renamed, and ws.php is no longer accessible via web requests

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to */ws.php with facetag.changeTag or facetag.listTags actions containing unusual imageId parameters
Database error logs showing SQL syntax errors from Piwigo application

Network Indicators:

POST requests with SQL injection payloads in imageId parameter
Unusual database query patterns from web server IP

SIEM Query:

source="web_access_logs" AND uri="*ws.php*" AND (action="facetag.changeTag" OR action="facetag.listTags") AND imageId="*' OR *"

📊 Metadata

CVE ID: CVE-2017-9426

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 26, 2018

Last Updated: November 21, 2024

🔗 References

http://touhidshaikh.com/blog/poc/facetag-extension-piwigo-sqli/ Third Party Advisory
https://www.exploit-db.com/exploits/42094/ Exploit,Third Party Advisory,VDB Entry
https://www.youtube.com/watch?v=MVCe_zYtFsQ Exploit,Third Party Advisory
http://touhidshaikh.com/blog/poc/facetag-extension-piwigo-sqli/ Third Party Advisory
https://www.exploit-db.com/exploits/42094/ Exploit,Third Party Advisory,VDB Entry
https://www.youtube.com/watch?v=MVCe_zYtFsQ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-9426, you might also want to check these: