Piwigo SQL Injection Vulnerability in User Management Function

A SQL injection vulnerability has been identified in Piwigo versions through 13.8.0. The issue arises in the user management feature within the admin panel, specifically on the 'user_list' page. The vulnerability is present in the 'max_level' and 'min_register' parameters, which are used in the 'ws_user_getList' function. This function, located in 'include/ws_functions/pwg.users.php', allows for advanced user searches but fails to properly sanitize these parameters before they are incorporated into SQL queries. Exploiting this vulnerability could lead to unauthorized SQL query manipulation, potentially causing code execution or information disclosure.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate SQL queries executed by the application. This could lead to unauthorized data access, data modification, or in some cases, executing arbitrary code on the server.

Reproduction

To reproduce this vulnerability, navigate to the 'admin.php?page=user_list' page. Once there, send a request that includes the 'max_level' and 'min_register' parameters. Introduce a single quote into these parameters to trigger a SQL error response, which indicates the presence of the injection vulnerability. This issue can be verified through the application's response, which will display the injected SQL query and the resulting error, confirming the successful exploitation of the SQL injection vulnerability.

Remediation

The Piwigo development team has addressed this vulnerability in the 15.1.0 update by implementing a parameter whitelist approach. However, for users on versions prior to 15.1.0, it is recommended to use a Web Application Firewall (WAF) to add an extra layer of protection against potential SQL injection attacks.