Piwigo Facetag 0.0.3 – SQL Injection [CVE-2017-9426] – DigitalMunition




Videos Piwigo  Facetag 0.0.3 - SQL Injection [CVE-2017-9426]

Published on May 30th, 2017 📆 | 3174 Views ⚑

1

Piwigo Facetag 0.0.3 – SQL Injection [CVE-2017-9426]

What is Piwigo ?
Piwigo is photo gallery software for the web, built by an active community of users and developers.Extensions make Piwigo easily customizable. Icing on the cake, Piwigo is free and open source.

Facetag Extension in piwigo.
This plugin extends piwigo with the function to tag faces in pictures. It adds an additional button on photo pages that let you tag a face on the picture.

Piwigo’s Facetag Extention have multiple SQL injection.

Facetag Extention provide additional button on photo page for visitor or user to tag any name oh that image.

Affected Method : 1) facetag.changeTag
2) facetag.listTags

1) facetag.changeTag
===When we gave any tag name to photo, That time our request send by POST method to
server and directly interpret in server’s database.Our POST request contain some perameter like (id,imageId,name etc)
Affected parameter: imageId=

2) facetag.listTags
===When we visit any image on server. facetag.listTags method pass on ws.php file with imageId= parameter and fetch facetag name in json format.
Affectd parameter : imageId=

NOTE : “www.test.touhid” this domain not registed on internet. This domain host in touhid’s local machine.

*—————————-*————————————*

Website :http://touhidshaikh.com
Blog : http://touhidshaikh.com/blog/
Github : https://github.com/touhidshaikh
Youtube : https://www.youtube.com/channel/UC7lxfIwNnSIE7ei9O2K8ZKw
Google+ : https://plus.google.com/111689423470502561872
Facebook : www.facebook.com/tauheeds1

*—————————-*————————————*


2017-05-30 14:20:15

source

Premium WordPress Themes Download
Download Premium WordPress Themes Free
Download Best WordPress Themes Free Download
Download Best WordPress Themes Free Download
udemy paid course free download

Tagged with:



One Response to Piwigo Facetag 0.0.3 – SQL Injection [CVE-2017-9426]

  1. feel free to contact me at :
    amyral.contact@gmail.com
    i have good deal with you [ serious ]

Leave a Reply ✍


loading...