admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter).
Piwigo versions up to 2.8.3 are vulnerable to a critical File Inclusion vulnerability, allowing remote authenticated administrators to execute arbitrary code. This flaw enables attackers to inject malicious PHP code, potentially leading to complete server compromise and data exfiltration. Successful exploitation grants attackers full control over the web server and the data it hosts.
Step 1: Authentication: The attacker must first authenticate as an administrator within the Piwigo application. This is a prerequisite for exploiting the vulnerability.
Step 2: Payload Construction: The attacker crafts a malicious PHP payload. This payload will typically contain code to create a reverse shell, upload a web shell, or perform other malicious actions.
Step 3: Payload Placement: The attacker uploads the malicious PHP payload to a location accessible by the web server. This could be a public directory, or a directory where the web server can read and execute PHP files. Alternatively, the attacker can use a technique like log poisoning to inject the payload into a log file.
Step 4: Exploitation Request: The attacker crafts a specially crafted HTTP request to admin/batch_manager.php. The request includes a manipulated $page['tab'] parameter, directing the script to include the attacker's malicious PHP payload. The value of $page['tab'] is crafted to point to the location of the malicious payload (e.g., /path/to/malicious.php).
Step 5: Code Execution: When the vulnerable script processes the request, it includes the attacker's PHP payload. The malicious code is then executed by the web server, granting the attacker control.
The vulnerability stems from insufficient input validation in admin/batch_manager.php. Specifically, the script directly incorporates the value of the $page['tab'] variable into a require or include statement without proper sanitization. This allows an attacker to control which PHP file is included and executed. The root cause is a lack of input validation and improper use of user-supplied data in a critical function. The script assumes the $page['tab'] variable will always contain a valid file path within the intended application directory, failing to account for malicious input. This leads to a Local File Inclusion (LFI) vulnerability that can be escalated to Remote Code Execution (RCE) by including a malicious PHP file.