Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case.
Piwigo versions 2.8.3 and below are vulnerable to a critical cross-site scripting (XSS) attack. Attackers can inject malicious JavaScript code into the website through specially crafted filenames, potentially leading to account compromise, data theft, and website defacement. This vulnerability allows for the execution of arbitrary code within a user's browser, posing a significant security risk.
Step 1: Payload Delivery: The attacker crafts a malicious filename containing JavaScript code (e.g., <script>alert('XSS')</script>).
Step 2: Plugin Upload Attempt: The attacker attempts to upload a plugin with the malicious filename through the admin/plugin.php interface. This upload is designed to fail, triggering an error condition.
Step 3: Error Generation: The Piwigo application encounters an error during the plugin upload process (e.g., invalid file type, insufficient permissions).
Step 4: Filename Display in Error Message: The admin/plugin.php script displays an error message that includes the attacker-controlled filename.
Step 5: XSS Execution: Because the filename is not properly sanitized, the injected JavaScript code is rendered by the user's browser, leading to XSS execution. The attacker's script runs within the context of the Piwigo website, allowing them to perform actions as the logged-in user (if any).
Root Cause: The vulnerability stems from insufficient input validation and output encoding when handling filenames during error conditions within the admin/plugin.php script. Specifically, when a plugin upload fails, the application fails to properly sanitize the filename before displaying it in an error message. This allows an attacker to inject malicious HTML or JavaScript code into the filename, which is then rendered in the browser. The lack of proper input validation allows the malicious filename to be stored, and the lack of output encoding (e.g., escaping special characters like < and >) allows the injected code to be interpreted by the browser. This results in reflected XSS, where the malicious script is executed in the context of the vulnerable website.