CVE-2021-32615
📋 TL;DR
This vulnerability allows authenticated administrators in Piwigo 11.4.0 to perform SQL injection attacks via the order[0][dir] parameter in admin/user_list_backend.php. Attackers can potentially execute arbitrary SQL commands, leading to data theft, modification, or deletion. Only Piwigo installations with admin access are affected.
💻 Affected Systems
- Piwigo
📦 What is this software?
Piwigo by Piwigo
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, privilege escalation to full system access, or complete data destruction.
Likely Case
Data theft of user credentials and sensitive information, database manipulation, or denial of service.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection.
🎯 Exploit Status
Exploit requires admin credentials but is straightforward once authenticated. Public proof-of-concept exists in GitHub issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.4.1 and later
Vendor Advisory: https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52
Restart Required: No
Instructions:
1. Backup your Piwigo installation and database. 2. Download Piwigo 11.4.1 or later from official sources. 3. Replace vulnerable files with patched versions. 4. Verify the fix by checking the version.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to reject malicious SQL characters in order[0][dir] parameter
Modify admin/user_list_backend.php to sanitize input before processing
Access Restriction
allTemporarily restrict access to admin/user_list_backend.php
Add authentication check or IP restriction to the file
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all user inputs
- Restrict admin access to trusted IP addresses only and implement multi-factor authentication
🔍 How to Verify
Check if Vulnerable:
Check if running Piwigo version 11.4.0 by examining version files or admin panelCheck Version:
Check includes/version.inc.php or admin panel for version informationVerify Fix Applied:
Verify installation is running Piwigo 11.4.1 or later and check that admin/user_list_backend.php contains proper input sanitization📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by admin access
- Suspicious parameter values in order[0][dir]
Network Indicators:
- Unusual database connection patterns from web server
- Large data transfers from database
SIEM Query:
source="web_logs" AND uri="*admin/user_list_backend.php*" AND (param="*order[0][dir]*" OR query="*SQL*" OR status="500")