Piwigo SQL Injection Vulnerability in Activity List API Endpoint

A SQL injection vulnerability has been identified in Piwigo, an open-source photo gallery application, prior to version 16.3.0. The issue affects the Activity List API endpoint, allowing authenticated administrators to extract sensitive data from the database, such as user credentials, email addresses, and all stored content. The vulnerability arises because the 'id' parameter is not properly validated in the API method, enabling injection of malicious SQL that could be used to access or manipulate database information.

Impact

Exploitation of this vulnerability allows for unauthorized database access, extraction of user credentials and email addresses, and access to private photo metadata and album information. Additionally, while direct database manipulation is not possible, extracted credentials could facilitate further attacks. The vulnerability could also lead to resource exhaustion and database denial-of-service conditions through heavy data extraction operations.

Reproduction

To reproduce this vulnerability, log into an administrator account and send a POST request to the '/ws.php' endpoint with the 'format' set to 'json' and the 'method' set to 'pwg.activity.getList'. Include the 'id' parameter with a crafted SQL injection payload, such as one that exploits the 'EXTRACTVALUE' function to retrieve database information or user credentials. The injection works because the 'id' parameter is not sanitized before being included in the SQL query, bypassing the API's type validation.

Remediation

Users can upgrade to Piwigo version 16.3.0, which addresses this vulnerability by adding proper parameter validation and sanitization. Instructions for upgrading are available on the Piwigo website.