Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。
; F4 p% G7 R0 q9 v( o6 F- Q
Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
====================================================================
/install.php:
-------------
4 G6 q; q5 H" T& N7 V5 o5 @+ W" R113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
) {1 r$ j. m) ~% u6 \& X114: {
" y* j" b7 E' S; s! b115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
! Y9 n; |4 C9 u- P( j8 J0 m116:   header('Cache-Control: no-cache, must-revalidate');
117:   header('Pragma: no-cache');
118:   header('Content-Disposition: attachment; filename="database.inc.php"');
119:   header('Content-Transfer-Encoding: binary');
1 S. t' C: B( U9 {( I# M120:   header('Content-Length: '.filesize($filename));
121:   echo file_get_contents($filename);
: G0 z0 g$ T- w  w4 x122:   unlink($filename);
123:   exit();
. D8 M) [" r1 Z- P124: }
8 ^: c# |: d# u9 i====================================================================

& {* Q+ U# k0 o# |) T" wTested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.4
& i  a! W% t5 F# Q# a1 V, S* a           MySQL 5.5.25a
$ }4 \2 }, L5 s  [- }8 A5 [
6 ]0 [( _/ a6 L: vVulnerability discovered by Gjoko 'LiquidWorm' Krstic
0 d0 X' w2 v0 O% x6 E1 ~  Q                            @zeroscience

' T1 R& c9 D0 a: SAdvisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843
6 V" O+ G7 M4 s9 X7 s* u. e! j
# v/ A+ w# J6 B  c) E. f4 [4 @15.02.2013

7 {; a9 o; O+ q) j; n/ k% \( B--
/ ^: h8 _) V2 r) chttp://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt

# z5 {, ?) W5 L