Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)

Understanding Stored Cross-Site Scripting in Piwigo v13.7.0: A Critical Security Vulnerability

On June 25, 2023, cybersecurity researcher Okan Kurtulus disclosed a significant security flaw in Piwigo v13.7.0, a widely used open-source photo gallery platform. The vulnerability, identified as Stored Cross-Site Scripting (XSS), affects authenticated users and has the potential to compromise both user data and application integrity.

What Is Stored Cross-Site Scripting (XSS)?

Stored XSS occurs when malicious scripts are injected into a web application's database or storage system and are later retrieved and executed by other users. Unlike reflected XSS, which requires user interaction with a crafted URL, stored XSS persists across sessions and can affect multiple users without additional action.

This type of attack is particularly dangerous because it bypasses traditional input validation and can be triggered automatically when a page is loaded. The attacker’s script is stored in a seemingly harmless field—such as a photo description—and executed whenever the page is viewed.

Exploitation in Piwigo v13.7.0

As demonstrated in the proof of concept, the vulnerability exists in the photo description field within Piwigo’s photo editing interface. An authenticated user with upload privileges can inject a malicious payload during the photo upload process.

<script>alert(1);</script>

This simple JavaScript payload, when stored in the description field, will execute in the browser of any user who views the photo on the public gallery page.

Step-by-Step Exploit Process

• Install and Log In: Deploy Piwigo v13.7.0 on a system like Ubuntu 22.04 and log in with an account that has photo upload permissions.
• Upload a Photo: Navigate to the "Photos" section, click "Add," and upload any image.
• Inject XSS Payload: Open the photo editing screen, enter the script into the "Description" field, and save.
• Trigger the Attack: Visit the gallery homepage and view the uploaded photo. The script executes in the user’s browser, triggering the alert(1) popup.

Impact and Risk Assessment

Attack Vector	Severity	Exploitability	Impact
Stored XSS (Authenticated)	High	Medium	Session hijacking, data theft, CSRF, phishing

While the proof-of-concept uses a harmless alert() function, real-world exploitation could involve more destructive payloads:

• Stealing session cookies via document.cookie extraction.
• Redirecting users to malicious websites using window.location.
• Injecting phishing forms or fake login screens.
• Executing malicious scripts from external domains (e.g., via fetch()).

Why This Vulnerability Matters

Piwigo is used by thousands of individuals and organizations to manage photo collections, often including sensitive or private images. The presence of a stored XSS vulnerability in a feature that handles user-generated content—such as descriptions—creates a persistent attack surface.

Attackers with limited access (e.g., a regular user) can escalate their privileges by planting scripts that capture credentials or manipulate user behavior. This is especially concerning in environments where multiple users access the same gallery, such as corporate intranets or community forums.

Technical Root Cause

The core issue lies in insufficient input sanitization and lack of output encoding in the description field. When a user submits a description, the system stores it directly in the database without filtering or escaping HTML/JavaScript characters.

Upon rendering the photo page, the description is retrieved and displayed without proper escaping. This allows scripts to be executed in the browser context.

Security Best Practices to Prevent Such Vulnerabilities

Developers and administrators should follow these principles to mitigate risks:

• Input Validation: Reject or sanitize any input containing script tags, JavaScript keywords, or HTML attributes.
• Output Encoding: Always encode user-generated content before rendering it in the browser. Use libraries like DOMPurify or built-in HTML escaping functions.
• Content Security Policy (CSP): Implement a strict CSP header to block inline scripts and unauthorized script sources.
• Role-Based Access Control: Limit upload and edit privileges to trusted users only.
• Regular Security Audits: Conduct penetration testing and code reviews to detect vulnerabilities early.

Corrected Code Example (Security Fix)

// Before: Vulnerable
function displayDescription(description) {
  document.getElementById('desc').innerHTML = description;
}

// After: Secure
function displayDescription(description) {
  const sanitized = DOMPurify.sanitize(description);
  document.getElementById('desc').innerHTML = sanitized;
}

This corrected implementation uses DOMPurify, a widely trusted JavaScript library for sanitizing HTML content. It removes dangerous elements like <script>, <iframe>, and event handlers, ensuring that only safe content is rendered.

Conclusion

The Piwigo v13.7.0 stored XSS vulnerability serves as a critical reminder of the importance of secure input handling in web applications. Even seemingly benign features like photo descriptions can become entry points for serious attacks when proper security measures are neglected.

Users of Piwigo should upgrade immediately to a patched version and administrators should enforce strict content validation policies. For developers, this case underscores the need for proactive security design—where every user input is treated as potentially malicious until proven otherwise.