FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

piwigo -- CSRF/Path Traversal

Affected packages
piwigo < 2.4.7


VuXML ID edd201a5-8fc3-11e2-b131-000c299b62e1
Discovery 2013-02-06
Entry 2013-03-18

High-Tech Bridge Security Research Lab reports:

The CSRF vulnerability exists due to insufficient verification of the HTTP request origin in "/admin.php" script. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create arbitrary PHP file on the remote server.

The path traversal vulnerability exists due to insufficient filtration of user-supplied input in "dl" HTTP GET parameter passed to "/install.php" script. The script is present on the system after installation by default, and can be accessed by attacker without any restrictions.


CVE Name CVE-2013-1468
CVE Name CVE-2013-1469