CVE-2023-26876
📋 TL;DR
This SQL injection vulnerability in Piwigo allows remote attackers to execute arbitrary SQL commands via the filter_user_id parameter in the admin.php endpoint. Attackers could potentially read, modify, or delete database content, and in some configurations execute arbitrary code. All Piwigo installations version 13.5.0 and earlier are affected.
💻 Affected Systems
- Piwigo
📦 What is this software?
Piwigo by Piwigo
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including arbitrary code execution, database exfiltration, and potential lateral movement to underlying infrastructure.
Likely Case
Database compromise leading to data theft, privilege escalation, and potential website defacement.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only error messages or partial data exposure.
🎯 Exploit Status
Exploit requires authentication to access admin.php endpoint. Public proof-of-concept demonstrates SQL injection via filter_user_id parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.5.1
Vendor Advisory: https://piwigo.com
Restart Required: No
Instructions:
1. Backup your Piwigo installation and database. 2. Download Piwigo 13.5.1 or later from piwigo.com. 3. Replace all files with the new version. 4. Run the update script if prompted. 5. Verify the admin.php?page=history endpoint no longer accepts malicious filter_user_id input.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to ensure filter_user_id parameter contains only numeric values
Modify admin.php to validate filter_user_id parameter: if (!is_numeric($_GET['filter_user_id'])) { die('Invalid input'); }
WAF Rule
allImplement web application firewall rules to block SQL injection attempts on filter_user_id parameter
Add WAF rule: Detect and block SQL injection patterns in filter_user_id parameter
🧯 If You Can't Patch
- Restrict access to admin.php endpoint using IP whitelisting or authentication requirements
- Implement database user with minimal permissions (read-only where possible) to limit potential damage
🔍 How to Verify
Check if Vulnerable:
Test if admin.php?page=history&filter_user_id=1' OR '1'='1 returns database errors or unexpected resultsCheck Version:
Check Piwigo version in admin panel or look for version.txt file in installation directoryVerify Fix Applied:
Test the same SQL injection attempt after patching - should return proper error handling or no results📡 Detection & Monitoring
Log Indicators:
- SQL syntax errors in web server logs
- Unusual database queries from web application user
- Multiple failed parameter validation attempts on admin.php
Network Indicators:
- HTTP requests to admin.php with SQL injection patterns in filter_user_id parameter
- Unusual database traffic from web server
SIEM Query:
source="web_server.log" AND uri="*admin.php*" AND (param="*filter_user_id*'*" OR param="*filter_user_id*%27*")🔗 References
- http://packetstormsecurity.com/files/172059/Piwigo-13.5.0-SQL-Injection.html
- http://seclists.org/fulldisclosure/2023/Apr/13
- https://gist.github.com/rodnt/a190d14d1715890d8df19bad58b90693
- https://piwigo.com
- https://www.tempest.com.br
- http://packetstormsecurity.com/files/172059/Piwigo-13.5.0-SQL-Injection.html
- http://seclists.org/fulldisclosure/2023/Apr/13
- https://gist.github.com/rodnt/a190d14d1715890d8df19bad58b90693
- https://piwigo.com
- https://www.tempest.com.br
