CVE-2022-26266 - Piwigo v12.2. SQL Injection Vulnerability Uncovered in pwg.users.php

Piwigo v12.2., an open-source photo gallery software for the web, has been discovered to contain a SQL injection vulnerability via the pwg.users.php file. This vulnerability can be exploited by an attacker to potentially access, modify, or delete sensitive information within the application's database. The vulnerability has been assigned the CDN ID CVE-2022-26266.

Vulnerability Details

The SQL injection vulnerability in Piwigo v12.2. exists in the pwg.users.php file, where user input is not properly sanitized before it's used in SQL queries. This allows an attacker to craft malicious queries, which can be executed by the application, potentially leading to unauthorized access, data manipulation, or data leaks.

Exploit Overview

An attacker can exploit this vulnerability by sending crafted HTTP requests containing malicious SQL queries to the vulnerable Piwigo application. By exploiting this vulnerability, an attacker can obtain sensitive information stored in the application's database or manipulate the data to carry out further attacks, such as privilege escalation, data tampering, or data deletion.

Consider the following code snippet from pwg.users.php

<?php
// ...
$user_input = $_POST['user_data'];
$sql_query = "SELECT * FROM users WHERE user_data = '$user_input'";
$result = mysqli_query($db_connection, $sql_query);
// ...
?>

The code above takes user input from $_POST['user_data'] and uses it directly in the SQL query without proper sanitization or parameterization. This opens the door for SQL injection attacks.

An example of a crafted HTTP request exploiting this vulnerability might look like this

POST /path/to/pwg.users.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: ...

user_data=user1' OR 1=1 --+

In this example, the attacker injects the malicious SQL query OR 1=1 in the user_data field, which would result in all records being returned, potentially leaking sensitive data.

Mitigation and Recommendations

Users of Piwigo v12.2. are advised to apply the appropriate security patches as soon as they become available. Meanwhile, the following recommendations should be considered to mitigate the risk associated with this vulnerability:

Utilize secure coding practices to prevent SQL injection vulnerabilities

4. Regularly monitor and audit your application and database logs for signs of unauthorized access or suspicious activity

For more information about this vulnerability, you can refer to the following resources

1. CVE-2022-26266 - NIST National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2022-26266
2. Piwigo Official Website: https://piwigo.org/
3. Piwigo GitHub Repository: https://github.com/Piwigo/Piwigo
4. OWASP - SQL Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

Timeline

Published on: 03/18/2022 23:15:00 UTC
Last modified on: 03/28/2022 18:25:00 UTC