Piwigo SQL Injection Vulnerability in Date Filter Parameters

A SQL injection vulnerability has been identified in Piwigo, an open-source photo gallery application, in versions prior to 16.3.0. The issue arises in the 'ws_std_image_sql_filter()' function, where four date filter parameters are directly concatenated into SQL queries without proper escaping or type validation. This vulnerability allows an unauthenticated attacker to read the entire database, including user password hashes. The vulnerable parameters are 'f_min_date_available', 'f_max_date_available', 'f_min_date_created', and 'f_max_date_created'.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, with the potential to extract database information, including user password hashes.

Reproduction

The vulnerability can be reproduced by sending a request to the 'ws.php' endpoint with the 'pwg.categories.getImages' or 'pwg.tags.getImages' methods, using the vulnerable date filter parameters. The SQL injection can be performed by injecting SQL payloads that exploit the lack of validation and escaping, such as time-based blind SQL injection or error-based SQL injection to extract database information.

Remediation

Users are advised to upgrade to Piwigo version 16.3.0 or later, where this vulnerability has been patched.