Piwigo SQL Injection Vulnerability in pwg.users.getList Web Service API

A SQL injection vulnerability has been identified in the Piwigo photo gallery application, specifically in versions prior to 16.3.0. The issue arises in the pwg.users.getList Web Service API method, where the filter parameter is directly appended to a SQL query without adequate sanitization. This flaw allows authenticated administrators to execute arbitrary SQL commands. The vulnerability has been patched in version 16.3.0.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, with potential consequences including unauthorized data access, modification of database records, and disruption of database availability through resource-intensive queries.

Reproduction

The vulnerability can be reproduced by sending a POST request to the Piwigo Web Service API with the method set to 'pwg.users.getList'. Include a crafted filter parameter that exploits the SQL injection, such as one that closes the SQL string and appends a UNION SELECT payload. This can be done using tools like curl.

Remediation

Users are advised to upgrade to Piwigo version 16.3.0 or later, where this vulnerability has been fixed.