Test ID:	1.3.6.1.4.1.25623.1.0.803340
Category:	Web application abuses
Title:	Piwigo Cross Site Request Forgery and Path Traversal Vulnerabilities
Summary:	Piwigo is prone to cross-site request forgery (CSRF) and path; traversal vulnerabilities.
Description:	Summary: Piwigo is prone to cross-site request forgery (CSRF) and path traversal vulnerabilities. Vulnerability Insight: - Flaw in the LocalFiles Editor plugin, it does not require multiple steps or explicit confirmation for sensitive transactions. - Input passed via 'dl' parameter to install.php is not properly sanitized before being used. Vulnerability Impact: Successful exploitation will allow remote attackers to create arbitrary PHP file or to retrieve and delete arbitrary files in the context of the affected application. Affected Software/OS: Piwigo version 2.4.6 and prior Solution: Upgrade to Piwigo version 2.4.7 CVSS Score: 7.6 CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2013-1468 Bugtraq: 20130227 Multiple Vulnerabilities in Piwigo (Google Search) http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html http://www.exploit-db.com/exploits/24561 http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html https://www.htbridge.com/advisory/HTB23144 http://www.osvdb.org/90504 http://secunia.com/advisories/52228 Common Vulnerability Exposure (CVE) ID: CVE-2013-1469 http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
Copyright	Copyright (C) 2013 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.