CVE-2020-19213
📋 TL;DR
This is a critical SQL injection vulnerability in Piwigo's cat_move.php file that allows attackers to execute arbitrary SQL commands via the 'selection' parameter when moving categories. Attackers can potentially read, modify, or delete database content. All Piwigo installations running vulnerable versions are affected.
💻 Affected Systems
- Piwigo
📦 What is this software?
Piwigo by Piwigo
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data destruction, or full system takeover via subsequent attacks.
Likely Case
Unauthorized data access, privilege escalation, or database manipulation leading to site defacement or data exfiltration.
If Mitigated
Limited impact due to proper input validation, parameterized queries, or database user restrictions.
🎯 Exploit Status
Exploitation requires authenticated admin access. SQL injection is well-understood with many available tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Piwigo 2.10.0 and later
Vendor Advisory: https://github.com/Piwigo/Piwigo/issues/1010
Restart Required: No
Instructions:
1. Backup your Piwigo installation and database. 2. Download Piwigo 2.10.0 or later from the official website. 3. Replace all files with the new version. 4. Run the upgrade script if prompted. 5. Verify the installation works correctly.
🔧 Temporary Workarounds
Disable category move functionality
linuxTemporarily disable or restrict access to the cat_move.php file to prevent exploitation.
mv /path/to/piwigo/admin/categories/cat_move.php /path/to/piwigo/admin/categories/cat_move.php.disabled
Implement WAF rules
allAdd web application firewall rules to block SQL injection patterns in the selection parameter.
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all database operations
- Restrict database user permissions to minimum required privileges
🔍 How to Verify
Check if Vulnerable:
Check if your Piwigo version is 2.9.5 or earlier by examining the version file or admin interface.Check Version:
cat /path/to/piwigo/include/constants.php | grep 'PHPWG_VERSION'Verify Fix Applied:
Verify installation of Piwigo 2.10.0 or later and test that category move functionality works without SQL errors.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by category move requests
- SQL syntax errors in web server logs
Network Indicators:
- HTTP POST requests to cat_move.php with suspicious selection parameter values
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND uri="*cat_move.php*" AND (param="*selection=*SELECT*" OR param="*selection=*UNION*" OR param="*selection=*OR*" OR param="*selection=*--*")