CVE-2023-27233 – CVE-2023-27233 is a SQL injection vulnerability... (How to Fix)

Q: What is the severity of CVE-2023-27233?

CVE-2023-27233 has a CVSS score of 8.8 (HIGH). CVE-2023-27233 is a SQL injection vulnerability in Piwigo's user_list_backend.php file that allows attackers to execute arbitrary SQL commands via the order[0][dir] parameter. This affects all Piwigo installations before version 13.6.0. Attackers could potentially access, modify, or delete database content.

📋 TL;DR

CVE-2023-27233 is a SQL injection vulnerability in Piwigo's user_list_backend.php file that allows attackers to execute arbitrary SQL commands via the order[0][dir] parameter. This affects all Piwigo installations before version 13.6.0. Attackers could potentially access, modify, or delete database content.

💻 Affected Systems

Products:

Piwigo

Versions: All versions before 13.6.0

Operating Systems: All platforms running Piwigo

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Piwigo installations with the vulnerable file present. The vulnerability is in core code, not dependent on specific configurations.

📦 What is this software?

Piwigo by Piwigo

View all CVEs affecting Piwigo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, or remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data access, data manipulation, or authentication bypass leading to administrative access.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH - Piwigo is typically internet-facing as a web gallery application, making it directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal instances could still be exploited by malicious insiders or through lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication to access the user_list_backend.php endpoint. The SQL injection is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.6.0

Vendor Advisory: https://github.com/Piwigo/Piwigo/issues/1872

Restart Required: No

Instructions:

1. Backup your Piwigo installation and database. 2. Download Piwigo 13.6.0 or later from the official website. 3. Replace all files with the new version, preserving your configuration files. 4. Verify the installation works correctly.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the order[0][dir] parameter before processing.

Edit user_list_backend.php to validate/sanitize the order[0][dir] parameter using prepared statements or whitelisting.

Access Restriction

all

Restrict access to the vulnerable endpoint to trusted IP addresses only.

Add .htaccess rules or web server configuration to restrict access to user_list_backend.php.

🧯 If You Can't Patch

Implement a Web Application Firewall (WAF) with SQL injection protection rules.
Disable or restrict access to the user_list_backend.php file if not needed.

🔍 How to Verify

Check if Vulnerable:

Check if Piwigo version is below 13.6.0 by viewing the admin dashboard or checking the version file.

Check Version:

Check the Piwigo admin dashboard or view the content of include/version.inc.php

Verify Fix Applied:

Verify the Piwigo version is 13.6.0 or higher and test the order[0][dir] parameter with SQL injection payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple requests to user_list_backend.php with suspicious order[0][dir] parameters
Authentication logs showing access to admin functions from unexpected users

Network Indicators:

HTTP POST/GET requests to user_list_backend.php containing SQL keywords in parameters
Unusual database connection patterns from the web server

SIEM Query:

source="web_logs" AND uri="*user_list_backend.php*" AND (param="*order[0][dir]*" AND value="*SELECT* OR *UNION* OR *OR* OR *AND*")

📊 Metadata

CVE ID: CVE-2023-27233

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 17, 2023

Last Updated: January 22, 2025

🔗 References

https://gist.github.com/renanavs/dcb13bb1cd618ce7eb0c80290b837245 Exploit,Third Party Advisory
https://github.com/Piwigo/Piwigo/issues/1872 Release Notes
https://gist.github.com/renanavs/dcb13bb1cd618ce7eb0c80290b837245 Exploit,Third Party Advisory
https://github.com/Piwigo/Piwigo/issues/1872 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27233, you might also want to check these: